Windows Analysis Report
Purchase Order PO.exe

Overview

General Information

Sample name:	Purchase Order PO.exe
Analysis ID:	1560968
MD5:	28d64b4cc91c016c93eb28e1f465efd2
SHA1:	a627004d9e1217d7aa46650f6f7c4e4f085d446b
SHA256:	98ffb783354435168540dc2e8eb4570f865f324169d553ffbad828bf9f33acd3
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Purchase Order PO.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Purchase Order PO.exe

ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 2.2.Purchase Order PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Purchase Order PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4172302652.0000000005670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4169256921.0000000002D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170584214.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170538455.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134871373.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131373286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4170384363.0000000002F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2135061100.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Purchase Order PO.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Purchase Order PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Purchase Order PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: isoburn.pdb source: Purchase Order PO.exe, 00000002.00000002.2132616252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169823337.0000000001298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isoburn.pdbGCTL source: Purchase Order PO.exe, 00000002.00000002.2132616252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169823337.0000000001298000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QfgdvbjddZ.exe, 00000006.00000002.4169230923.000000000060E000.00000002.00000001.01000000.0000000C.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4169232027.000000000060E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order PO.exe, 00000002.00000002.2133689929.0000000001A60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000007.00000002.4170830820.000000000516E000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000007.00000003.2131525150.0000000004C74000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000007.00000002.4170830820.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000007.00000003.2135458360.0000000004E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order PO.exe, Purchase Order PO.exe, 00000002.00000002.2133689929.0000000001A60000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, isoburn.exe, 00000007.00000002.4170830820.000000000516E000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000007.00000003.2131525150.0000000004C74000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000007.00000002.4170830820.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000007.00000003.2135458360.0000000004E29000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\isoburn.exe

Code function: 7_2_02D2C4E0 FindFirstFileW,FindNextFileW,FindClose,

7_2_02D2C4E0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 4x nop then jmp 0114483Fh	0_2_01144668
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 4x nop then jmp 07468DFAh	0_2_07468802
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 4x nop then xor eax, eax	7_2_02D19E40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_04DE04F8

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.cyperla.xyz
Source:	DNS query: www.070002018.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 161.97.142.144 161.97.142.144

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CONTABODE CONTABODE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 14:12:34 GMTserver: Apacheset-cookie: __tad=1732284754.2783085; expires=Mon, 20-Nov-2034 14:12:34 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 12 5b f2 24 3a 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 29 12 15 5e 39 dd 13 d0 a1 47 11 13 de 53 be 91 3b 79 8a c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 4f d8 d7 52 95 d1 4e 3a 70 58 69 87 8a 7e b4 da 6c 41 40 d2 10 f5 cb 3c df ef f7 d9 b3 ba fc da 0e d7 f9 fb 64 15 45 79 0e b7 48 20 81 74 87 76 20 b0 35 5c 2d 16 d0 69 e5 ac 47 65 4d e5 81 2c e0 3d aa 81 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed 9d 54 db 9b 29 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f e7 49 dd 8b 8b 77 c9 7c 15 1d a3 88 dc 21 30 59 a5 27 70 95 fb 36 99 10 e0 91 a6 4d fa 67 b5 37 c1 20 f3 67 a1 61 75 ff 75 d2 2c e0 e3 b3 93 cf b7 ac 43 56 e9 43 67 8d 26 cb a1 f5 32 c8 f6 78 0c cc 27 56 34 9b 65 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b f3 a7 38 bf cc 1c fa a1 a5 70 fe 00 61 3f 15 76 41 67 b0 93 9c 9f 10 d9 4e fb 50 ec 53 b5 1a 61 aa 45 f9 68 29 7d 76 37 3f 9d fe 5f bb 42 99 91 10 74 1f 81 b1 aa 49 d1 b9 b1 e3 7f 7f 87 b1 ab 2f 47 8e 0e 3c c5 70 67 2b 6e 34 04 ec da d9 c1 54 cb b3 cb c5 a5 ba ba 86 23 30 7a 04 31 6d ba 0c 23 fa 6e ad 6c 6b 9d 88 cf ea 71 c5 10 26 96 b7 8b 71 f1 bc 16 95 de c1 c8 15 49 a5 3d ab 3f 2c c1 58 83 ab a4 2c 24 34 0e 6b f1 cf f9 0d 93 70 95 94 1f 5a ad b6 d0 a0 c3 71 50 0d a1 2b 72 c9 17 87 f3 73 15 63 27 37 45 87 c4 69 39 e1 05 fe 1c f4 4e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 62 05 df 6f be 88 d7 aa be 0d f7 f2 29 31 3b 0f 96 c7 0e 84 bf c2 2f 48 65 37 98 1c 04 00 00 Data Ascii: TMo0=pvNQ;a*[$:iPrm:]lQeb3B)^9GS;yqy]\NlORN:pXi~lA@<dEyH tv 5\-iGeM,=%@@;i1[umL"mT)U:hJTo7OIw\|!0Y'p6Mg7 gauu,CVCg&2x'V4e=ekd;8pa?vAgNPSaEh)}v7?_BtI/G<pg+n4T#0z1m#nlkq&qI=?,X,$4kpZqP+rsc'7Ei9N\;DLbo)1;/He7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 14:12:37 GMTserver: Apacheset-cookie: __tad=1732284757.5675792; expires=Mon, 20-Nov-2034 14:12:37 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 12 5b f2 24 3a 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 29 12 15 5e 39 dd 13 d0 a1 47 11 13 de 53 be 91 3b 79 8a c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 4f d8 d7 52 95 d1 4e 3a 70 58 69 87 8a 7e b4 da 6c 41 40 d2 10 f5 cb 3c df ef f7 d9 b3 ba fc da 0e d7 f9 fb 64 15 45 79 0e b7 48 20 81 74 87 76 20 b0 35 5c 2d 16 d0 69 e5 ac 47 65 4d e5 81 2c e0 3d aa 81 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed 9d 54 db 9b 29 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f e7 49 dd 8b 8b 77 c9 7c 15 1d a3 88 dc 21 30 59 a5 27 70 95 fb 36 99 10 e0 91 a6 4d fa 67 b5 37 c1 20 f3 67 a1 61 75 ff 75 d2 2c e0 e3 b3 93 cf b7 ac 43 56 e9 43 67 8d 26 cb a1 f5 32 c8 f6 78 0c cc 27 56 34 9b 65 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b f3 a7 38 bf cc 1c fa a1 a5 70 fe 00 61 3f 15 76 41 67 b0 93 9c 9f 10 d9 4e fb 50 ec 53 b5 1a 61 aa 45 f9 68 29 7d 76 37 3f 9d fe 5f bb 42 99 91 10 74 1f 81 b1 aa 49 d1 b9 b1 e3 7f 7f 87 b1 ab 2f 47 8e 0e 3c c5 70 67 2b 6e 34 04 ec da d9 c1 54 cb b3 cb c5 a5 ba ba 86 23 30 7a 04 31 6d ba 0c 23 fa 6e ad 6c 6b 9d 88 cf ea 71 c5 10 26 96 b7 8b 71 f1 bc 16 95 de c1 c8 15 49 a5 3d ab 3f 2c c1 58 83 ab a4 2c 24 34 0e 6b f1 cf f9 0d 93 70 95 94 1f 5a ad b6 d0 a0 c3 71 50 0d a1 2b 72 c9 17 87 f3 73 15 63 27 37 45 87 c4 69 39 e1 05 fe 1c f4 4e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 62 05 df 6f be 88 d7 aa be 0d f7 f2 29 31 3b 0f 96 c7 0e 84 bf c2 2f 48 65 37 98 1c 04 00 00 Data Ascii: TMo0=pvNQ;a*[$:iPrm:]lQeb3B)^9GS;yqy]\NlORN:pXi~lA@<dEyH tv 5\-iGeM,=%@@;i1[umL"mT)U:hJTo7OIw\|!0Y'p6Mg7 gauu,CVCg&2x'V4e=ekd;8pa?vAgNPSaEh)}v7?_BtI/G<pg+n4T#0z1m#nlkq&qI=?,X,$4kpZqP+rsc'7Ei9N\;DLbo)1;/He7
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Fri, 22 Nov 2024 14:12:40 GMTserver: Apacheset-cookie: __tad=1732284760.2043783; expires=Mon, 20-Nov-2034 14:12:40 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 12 5b f2 24 3a 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 29 12 15 5e 39 dd 13 d0 a1 47 11 13 de 53 be 91 3b 79 8a c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 4f d8 d7 52 95 d1 4e 3a 70 58 69 87 8a 7e b4 da 6c 41 40 d2 10 f5 cb 3c df ef f7 d9 b3 ba fc da 0e d7 f9 fb 64 15 45 79 0e b7 48 20 81 74 87 76 20 b0 35 5c 2d 16 d0 69 e5 ac 47 65 4d e5 81 2c e0 3d aa 81 90 81 8f 25 40 d7 40 0d c2 0b e5 d0 3b db 69 cf 31 a9 5b 0f b5 75 e0 6d 87 4c 91 de 9a a8 1e 8c 22 6d 0d 1f b7 ed 9d 54 db 9b 29 55 3a 87 87 68 b6 d7 a6 b2 fb ac b5 4a 06 54 e6 b0 6f a5 c2 f4 37 4f e7 49 dd 8b 8b 77 c9 7c 15 1d a3 88 dc 21 30 59 a5 27 70 95 fb 36 99 10 e0 91 a6 4d fa 67 b5 37 c1 20 f3 67 a1 61 75 ff 75 d2 2c e0 e3 b3 93 cf b7 ac 43 56 e9 43 67 8d 26 cb a1 f5 32 c8 f6 78 0c cc 27 56 34 9b 65 dc 04 93 d6 3d 88 92 b3 65 6b 64 3b f3 a7 38 bf cc 1c fa a1 a5 70 fe 00 61 3f 15 76 41 67 b0 93 9c 9f 10 d9 4e fb 50 ec 53 b5 1a 61 aa 45 f9 68 29 7d 76 37 3f 9d fe 5f bb 42 99 91 10 74 1f 81 b1 aa 49 d1 b9 b1 e3 7f 7f 87 b1 ab 2f 47 8e 0e 3c c5 70 67 2b 6e 34 04 ec da d9 c1 54 cb b3 cb c5 a5 ba ba 86 23 30 7a 04 31 6d ba 0c 23 fa 6e ad 6c 6b 9d 88 cf ea 71 c5 10 26 96 b7 8b 71 f1 bc 16 95 de c1 c8 15 49 a5 3d ab 3f 2c c1 58 83 ab a4 2c 24 34 0e 6b f1 cf f9 0d 93 70 95 94 1f 5a ad b6 d0 a0 c3 71 50 0d a1 2b 72 c9 17 87 f3 73 15 63 27 37 45 87 c4 69 39 e1 05 fe 1c f4 4e c4 5c 81 3b df c4 c0 03 44 4c 14 f1 62 05 df 6f be 88 d7 aa be 0d f7 f2 29 31 3b 0f 96 c7 0e 84 bf c2 2f 48 65 37 98 1c 04 00 00 Data Ascii: TMo0=pvNQ;a*[$:iPrm:]lQeb3B)^9GS;yqy]\NlORN:pXi~lA@<dEyH tv 5\-iGeM,=%@@;i1[umL"mT)U:hJTo7OIw\|!0Y'p6Mg7 gauu,CVCg&2x'V4e=ekd;8pa?vAgNPSaEh)}v7?_BtI/G<pg+n4T#0z1m#nlkq&qI=?,X,$4kpZqP+rsc'7Ei9N\;DLbo)1;/He7

Source: global traffic	HTTP traffic detected: GET /qygv/?o6=SpTPojpx7H&Mr60=PNgLNtFNavTWVACgmh5xCzkhObl4Vn/3Y2lvnmQ+PypmeASZv9aNxFxhHJqyS8bM8Pjr3wsa5/scE4diKg4Wmu6EeWsOoRA0CokgLA8hMNXivrFO8nzFLsU= HTTP/1.1Host: www.cyperla.xyzAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qx5d/?Mr60=IyUQrkKyuirfHSYuUsN1+y7QK+I5LuF7C0LSkI7uCAGWAT/RC+PuW1l2SNatEGXPklxe1J/nxX2px2UyQ1iPvprNVphaqp6upu86OQyU68aVNw4H3NL9j/8=&o6=SpTPojpx7H HTTP/1.1Host: www.cstrategy.onlineAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6ou6/?o6=SpTPojpx7H&Mr60=We72k2U8RqyHNx9ftVgFe72GQMu4iuXnCau05KQMUjWmq73IzupFdRGddnmXCSRdMUrkGKdQ0AHY8jBIUc/t5WHt4/FI7OJ+yOIhAl7/LaOCHNokGW9xZfY= HTTP/1.1Host: www.madhf.techAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /v89f/?Mr60=vR3kWP+v98PFeIQUj3bnjAJ1ckGUCiAryWjHUGMo4+T5xi8TnNV+jgD2+4ag3QdSrCwOZVBfu0hve5I79B9k2Lg1hTzUbXWqWgu/JIX+7IudMx93vwrkJY0=&o6=SpTPojpx7H HTTP/1.1Host: www.bser101pp.buzzAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8m07/?o6=SpTPojpx7H&Mr60=2dHIoPS/8uSmn0UTpxXBmuXgzQfGtnFv3lXpG+Z7ZfR3/r1MA6yfaSEuuX1gcPtu0HplxKUHBw+SrOQKMJrrQZLN2Jh+RnltKoXALFEyxyCbEquQJUaCWgU= HTTP/1.1Host: www.goldstarfootwear.shopAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6m2n/?Mr60=Yw5byyKwEzNx0WExUgXfy9WYeOrLRKTUHYwp2f+G51jE3kEn7LG6s/p7OKNy20MANuawYrGFRZxpwvPhYVF0orZ4vi8yKWUq5FVUlLJ03fvmQMl+mrBpOPM=&o6=SpTPojpx7H HTTP/1.1Host: www.070002018.xyzAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7yhf/?Mr60=OF4p1YkyIdfCe7eI49mlQK2eqaOY0Xp5m6SnSx71uUBEXBHxoh5TWtGHsn9J2PYNIykLYH3RiXpaFAzmPgGru88xTxROuotR+L2zC6/y25G8bNDJ7z2wjg0=&o6=SpTPojpx7H HTTP/1.1Host: www.bienmaigrir.infoAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wu7k/?Mr60=msE8We8dGqsfRntVyauP2sAWp39/EoG83S1Gvm9i1konD6ZBc3B28v2M3s5YR0KKFS9CfgF+yd8Vab4bVKVP4o7T3EWu90E9kOVVHAZEZpi4QiZXp0u9yLs=&o6=SpTPojpx7H HTTP/1.1Host: www.yc791022.asiaAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ykgd/?Mr60=9oLAy+SEg8JXgI2QYoJQeX3wYK8lZLg7WKSBzbS4ZtdOlYE/G55wBiI45c0M4XnEo9VWh9C7p4Et5DP8QDQ/2tLKee7xpwwT0pkaI3y+yn0sIY/GpO9ikGE=&o6=SpTPojpx7H HTTP/1.1Host: www.jalan2.onlineAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fbpt/?Mr60=sHQWWiJRbY7Czg+qExT5lhETHbNnMxamWGf9ZvbaXe6zmK6gq2rUy+H9V8T+CpeiS8UyZN5qWlRSJl8kNjqw7URZvJro+8N+ASp2jrUizWujex2cueM/JZ0=&o6=SpTPojpx7H HTTP/1.1Host: www.beyondfitness.liveAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dm4p/?o6=SpTPojpx7H&Mr60=nAmjXBwFyC120iWGDF5QEkfQ4V9pq4qW/X6vA0SQviJnmQOR7pbzII6Li/fXSuLSC3cdwp3L3c1awzkuuw4A1F2MgfpbEGtSAoSHmNs0Z+rY9P6APqFlZ34= HTTP/1.1Host: www.dietcoffee.onlineAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qtfx/?Mr60=KdNk/QG/ntQJ0Ylt7Lyc3znBwC3jfRDsxCMWqIa/89W9m0NHjjmW45E2UxezVHfL5+2nDpZVQ4VEoa9MycOLMlSLf1n7d0xHEmolRusqu1Y7m0apztprjxI=&o6=SpTPojpx7H HTTP/1.1Host: www.smartcongress.netAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.cyperla.xyz
Source: global traffic	DNS traffic detected: DNS query: www.cstrategy.online
Source: global traffic	DNS traffic detected: DNS query: www.madhf.tech
Source: global traffic	DNS traffic detected: DNS query: www.bser101pp.buzz
Source: global traffic	DNS traffic detected: DNS query: www.goldstarfootwear.shop
Source: global traffic	DNS traffic detected: DNS query: www.070002018.xyz
Source: global traffic	DNS traffic detected: DNS query: www.bienmaigrir.info
Source: global traffic	DNS traffic detected: DNS query: www.yc791022.asia
Source: global traffic	DNS traffic detected: DNS query: www.jalan2.online
Source: global traffic	DNS traffic detected: DNS query: www.beyondfitness.live
Source: global traffic	DNS traffic detected: DNS query: www.dietcoffee.online
Source: global traffic	DNS traffic detected: DNS query: www.smartcongress.net
Source: global traffic	DNS traffic detected: DNS query: www.alihones.lol

Source: unknown

HTTP traffic detected: POST /qx5d/ HTTP/1.1Host: www.cstrategy.onlineAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.cstrategy.onlineContent-Length: 201Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.cstrategy.online/qx5d/User-Agent: Mozilla/5.0 (X11; Linux) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.141 Safari/537.36Data Raw: 4d 72 36 30 3d 46 77 38 77 6f 52 36 55 79 51 6e 46 44 78 64 31 62 75 6c 54 34 6b 37 44 56 4f 49 66 61 65 35 6a 50 48 7a 4d 77 72 6e 39 48 44 47 43 56 42 75 2b 44 35 62 70 4c 42 73 74 51 71 57 68 42 33 79 6c 68 46 4e 78 2f 49 62 6b 2f 55 44 39 38 47 73 64 52 6d 4f 76 70 4a 50 58 54 2b 46 52 70 35 69 74 6d 37 77 76 4f 46 79 46 2b 4b 2b 33 47 6a 5a 32 30 4c 6e 65 68 76 4d 6a 55 33 2f 78 44 6b 50 43 58 70 57 4d 4f 6c 30 41 75 39 49 51 45 77 61 74 64 51 79 47 65 74 52 30 4e 36 6e 63 64 46 4a 65 59 7a 70 61 55 79 77 37 7a 6d 43 51 4b 68 4c 6d 35 4e 32 31 4b 6a 32 2f 5a 45 39 71 6c 4e 6c 49 5a 51 3d 3d Data Ascii: Mr60=Fw8woR6UyQnFDxd1bulT4k7DVOIfae5jPHzMwrn9HDGCVBu+D5bpLBstQqWhB3ylhFNx/Ibk/UD98GsdRmOvpJPXT+FRp5itm7wvOFyF+K+3GjZ20LnehvMjU3/xDkPCXpWMOl0Au9IQEwatdQyGetR0N6ncdFJeYzpaUyw7zmCQKhLm5N21Kj2/ZE9qlNlIZQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 22 Nov 2024 14:12:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:12:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ExXGxVIp2ZMU2E%2FTyHRW1RD9gnnczn%2BJqS7%2BunlbQOoFvujy1wGLzJjTT9zGMOcQV%2FV4E%2B6rGYhjLxAtn%2F6xAuJ0%2BaS2XwgMetJW7HB1sj%2BNe3OD8ig3PX0lI%2BWjaofse6bE9n4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e6984411928159b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1703&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=627&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:12:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpjdmCjOtmi6O3l0NAvsmt3hhYhEz2dVfeKcounSOmSSQ4RMyKOrF0TnN3SVZBXzuMXlYKVqDBkRocx0A3RrCvoO0FsWvzxbOBi8ExrY494jRvCgF2%2BqW0rwDKuE7DEduOkF5sw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e6984517b38430a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1673&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=647&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:12:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gmtaxxdIQAoErVBf8Vv23IYJkyG3KpEmmy8ShcQPICxBhZg6q1BxTEvPZjCQeECByRY0SNqMPMXvy%2Fl7t4lF0OfeSjj6iTlokc%2FDlM5rhcLTQgjYrP2icGzDmry51CqdZAcyg%2FI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e698461d8568cee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1831&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10729&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:12:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LmDkL9SZCD6P9Ur0Wxy5m2bP4Tp6Z517UhkhobWGiH%2B9Ivi19wVPnqdfrLFsLn3cNwlW72O527HKjJlMmA8DfxFDyn19%2FqHuOv0Ck6nOglP8VsQdKIg4gFX560qnFPtDx6BJ1Xw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e6984730f1f41ad-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=11291&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=357&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!--
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:27 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:34 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:40 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 14:13:42 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:13:50 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:13:53 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:14:01 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 22 Nov 2024 14:14:08 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 22 Nov 2024 14:14:11 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Fri, 22 Nov 2024 14:14:13 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C\|>&"%dgbtgct\]9B$@%rfUR0l(N2)= lMh<Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Fri, 22 Nov 2024 14:14:16 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:14:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:14:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:14:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 14:14:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Fri, 22 Nov 2024 14:14:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 3c c5 ca 5d 16 0d c7 4d 0f f2 13 49 10 89 29 07 8f 98 d6 94 04 28 d2 a2 f1 ed 2d 70 f1 38 3b 33 df 2c ed 92 6b cc ef 55 0a 67 7e 29 a0 aa 4f 45 1e 83 bf 47 cc 53 9e 21 26 3c d9 9c 63 10 22 a6 a5 cf 3c 52 b6 ef 18 29 d9 08 27 6c 6b 3b c9 a2 30 82 52 5b c8 f4 3c 08 c2 ed e8 11 ae 21 7a 68 f1 5d 7a 07 f6 97 71 ca a3 91 71 25 61 92 af 59 1a 2b 05 d4 b7 02 50 f4 d1 88 f0 69 0c 0c 0e f9 5c 90 a0 07 b0 aa 35 60 e4 f4 96 53 40 38 ba 36 ae 60 b7 b2 3c e4 fd 00 14 26 9a 9b cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0<]MI)(-p8;3,kUg~)OEGS!&<c"<R)'lk;0R[<!zh]zqq%aY+Pi\5`S@86`<&0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Fri, 22 Nov 2024 14:14:41 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 3c c5 ca 5d 16 0d c7 4d 0f f2 13 49 10 89 29 07 8f 98 d6 94 04 28 d2 a2 f1 ed 2d 70 f1 38 3b 33 df 2c ed 92 6b cc ef 55 0a 67 7e 29 a0 aa 4f 45 1e 83 bf 47 cc 53 9e 21 26 3c d9 9c 63 10 22 a6 a5 cf 3c 52 b6 ef 18 29 d9 08 27 6c 6b 3b c9 a2 30 82 52 5b c8 f4 3c 08 c2 ed e8 11 ae 21 7a 68 f1 5d 7a 07 f6 97 71 ca a3 91 71 25 61 92 af 59 1a 2b 05 d4 b7 02 50 f4 d1 88 f0 69 0c 0c 0e f9 5c 90 a0 07 b0 aa 35 60 e4 f4 96 53 40 38 ba 36 ae 60 b7 b2 3c e4 fd 00 14 26 9a 9b cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0<]MI)(-p8;3,kUg~)OEGS!&<c"<R)'lk;0R[<!zh]zqq%aY+Pi\5`S@86`<&0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Fri, 22 Nov 2024 14:14:44 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 3c c5 ca 5d 16 0d c7 4d 0f f2 13 49 10 89 29 07 8f 98 d6 94 04 28 d2 a2 f1 ed 2d 70 f1 38 3b 33 df 2c ed 92 6b cc ef 55 0a 67 7e 29 a0 aa 4f 45 1e 83 bf 47 cc 53 9e 21 26 3c d9 9c 63 10 22 a6 a5 cf 3c 52 b6 ef 18 29 d9 08 27 6c 6b 3b c9 a2 30 82 52 5b c8 f4 3c 08 c2 ed e8 11 ae 21 7a 68 f1 5d 7a 07 f6 97 71 ca a3 91 71 25 61 92 af 59 1a 2b 05 d4 b7 02 50 f4 d1 88 f0 69 0c 0c 0e f9 5c 90 a0 07 b0 aa 35 60 e4 f4 96 53 40 38 ba 36 ae 60 b7 b2 3c e4 fd 00 14 26 9a 9b cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0<]MI)(-p8;3,kUg~)OEGS!&<c"<R)'lk;0R[<!zh]zqq%aY+Pi\5`S@86`<&0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Fri, 22 Nov 2024 14:14:46 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 6d 34 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dm4p/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 14:14:54 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 14:14:57 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 14:14:59 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 14:15:02 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: QfgdvbjddZ.exe, 00000008.00000002.4170545877.0000000003948000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.madhf.tech/6ou6/?o6=SpTPojpx7H&Mr60=We72k2U8RqyHNx9ftVgFe72GQMu4iuXnCau05KQMUjWmq73IzupFd
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: QfgdvbjddZ.exe, 00000008.00000002.4172302652.00000000056E1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.smartcongress.net
Source: QfgdvbjddZ.exe, 00000008.00000002.4172302652.00000000056E1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.smartcongress.net/qtfx/
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Purchase Order PO.exe, 00000000.00000002.1744861473.0000000006E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Purchase Order PO.exe	String found in binary or memory: https://github.com/ppx17/Onkyo-Remote-Control
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: isoburn.exe, 00000007.00000002.4169460570.0000000003049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: isoburn.exe, 00000007.00000003.2318577280.0000000008146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: isoburn.exe, 00000007.00000002.4171236393.0000000005B76000.00000004.10000000.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4170545877.00000000037B6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cstrategy.online/qx5d/?Mr60=IyUQrkKyuirfHSYuUsN1
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: isoburn.exe, 00000007.00000003.2328333477.0000000008158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.Purchase Order PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Purchase Order PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4172302652.0000000005670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4169256921.0000000002D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170584214.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4170538455.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2134871373.0000000001DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131373286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4170384363.0000000002F20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2135061100.0000000001F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order PO.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0042C663 NtClose,	2_2_0042C663
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2B60 NtClose,LdrInitializeThunk,	2_2_01AD2B60
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01AD2DF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01AD2C70
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD35C0 NtCreateMutant,LdrInitializeThunk,	2_2_01AD35C0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD4340 NtSetContextThread,	2_2_01AD4340
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD4650 NtSuspendThread,	2_2_01AD4650
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2BA0 NtEnumerateValueKey,	2_2_01AD2BA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2B80 NtQueryInformationFile,	2_2_01AD2B80
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2BE0 NtQueryValueKey,	2_2_01AD2BE0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2BF0 NtAllocateVirtualMemory,	2_2_01AD2BF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2AB0 NtWaitForSingleObject,	2_2_01AD2AB0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2AF0 NtWriteFile,	2_2_01AD2AF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2AD0 NtReadFile,	2_2_01AD2AD0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2DB0 NtEnumerateKey,	2_2_01AD2DB0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2DD0 NtDelayExecution,	2_2_01AD2DD0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2D30 NtUnmapViewOfSection,	2_2_01AD2D30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2D00 NtSetInformationFile,	2_2_01AD2D00
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2D10 NtMapViewOfSection,	2_2_01AD2D10
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2CA0 NtQueryInformationToken,	2_2_01AD2CA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2CF0 NtOpenProcess,	2_2_01AD2CF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2CC0 NtQueryVirtualMemory,	2_2_01AD2CC0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2C00 NtQueryInformationProcess,	2_2_01AD2C00
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2C60 NtCreateKey,	2_2_01AD2C60
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2FA0 NtQuerySection,	2_2_01AD2FA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2FB0 NtResumeThread,	2_2_01AD2FB0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2F90 NtProtectVirtualMemory,	2_2_01AD2F90
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2FE0 NtCreateFile,	2_2_01AD2FE0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2F30 NtCreateSection,	2_2_01AD2F30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2F60 NtCreateProcessEx,	2_2_01AD2F60
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2EA0 NtAdjustPrivilegesToken,	2_2_01AD2EA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2E80 NtReadVirtualMemory,	2_2_01AD2E80
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2EE0 NtQueueApcThread,	2_2_01AD2EE0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD2E30 NtWriteVirtualMemory,	2_2_01AD2E30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD3090 NtSetValueKey,	2_2_01AD3090
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD3010 NtOpenDirectoryObject,	2_2_01AD3010
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD39B0 NtGetContextThread,	2_2_01AD39B0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD3D10 NtOpenProcessToken,	2_2_01AD3D10
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD3D70 NtOpenThread,	2_2_01AD3D70
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05044650 NtSuspendThread,LdrInitializeThunk,	7_2_05044650
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05044340 NtSetContextThread,LdrInitializeThunk,	7_2_05044340
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_05042D10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_05042D30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042DD0 NtDelayExecution,LdrInitializeThunk,	7_2_05042DD0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_05042DF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042C60 NtCreateKey,LdrInitializeThunk,	7_2_05042C60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_05042C70
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_05042CA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042F30 NtCreateSection,LdrInitializeThunk,	7_2_05042F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042FB0 NtResumeThread,LdrInitializeThunk,	7_2_05042FB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042FE0 NtCreateFile,LdrInitializeThunk,	7_2_05042FE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_05042E80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_05042EE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042B60 NtClose,LdrInitializeThunk,	7_2_05042B60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_05042BA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_05042BE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_05042BF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042AD0 NtReadFile,LdrInitializeThunk,	7_2_05042AD0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042AF0 NtWriteFile,LdrInitializeThunk,	7_2_05042AF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050435C0 NtCreateMutant,LdrInitializeThunk,	7_2_050435C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050439B0 NtGetContextThread,LdrInitializeThunk,	7_2_050439B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042D00 NtSetInformationFile,	7_2_05042D00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042DB0 NtEnumerateKey,	7_2_05042DB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042C00 NtQueryInformationProcess,	7_2_05042C00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042CC0 NtQueryVirtualMemory,	7_2_05042CC0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042CF0 NtOpenProcess,	7_2_05042CF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042F60 NtCreateProcessEx,	7_2_05042F60
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042F90 NtProtectVirtualMemory,	7_2_05042F90
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042FA0 NtQuerySection,	7_2_05042FA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042E30 NtWriteVirtualMemory,	7_2_05042E30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042EA0 NtAdjustPrivilegesToken,	7_2_05042EA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042B80 NtQueryInformationFile,	7_2_05042B80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05042AB0 NtWaitForSingleObject,	7_2_05042AB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05043010 NtOpenDirectoryObject,	7_2_05043010
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05043090 NtSetValueKey,	7_2_05043090
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05043D10 NtOpenProcessToken,	7_2_05043D10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05043D70 NtOpenThread,	7_2_05043D70
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D39210 NtReadFile,	7_2_02D39210
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D393A0 NtClose,	7_2_02D393A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D39300 NtDeleteFile,	7_2_02D39300
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D390A0 NtCreateFile,	7_2_02D390A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D39510 NtAllocateVirtualMemory,	7_2_02D39510

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_0114DF94	0_2_0114DF94
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF8500	0_2_05DF8500
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF54D8	0_2_05DF54D8
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF2106	0_2_05DF2106
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DFB4D0	0_2_05DFB4D0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF336A	0_2_05DF336A
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DFE2E5	0_2_05DFE2E5
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DFE288	0_2_05DFE288
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DFE279	0_2_05DFE279
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF2C38	0_2_05DF2C38
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_0746A020	0_2_0746A020
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_07464D08	0_2_07464D08
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_07465140	0_2_07465140
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_074648D0	0_2_074648D0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_07466880	0_2_07466880
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00418583	2_2_00418583
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00403040	2_2_00403040
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040E108	2_2_0040E108
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040E113	2_2_0040E113
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00401270	2_2_00401270
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_004022A5	2_2_004022A5
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_004022B0	2_2_004022B0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00402B21	2_2_00402B21
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00402B30	2_2_00402B30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040242E	2_2_0040242E
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00402430	2_2_00402430
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0042ECA3	2_2_0042ECA3
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040FDAB	2_2_0040FDAB
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040FDB3	2_2_0040FDB3
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00402710	2_2_00402710
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040DFC3	2_2_0040DFC3
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_0040FFD3	2_2_0040FFD3
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00416793	2_2_00416793
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B601AA	2_2_01B601AA
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B581CC	2_2_01B581CC
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A90100	2_2_01A90100
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B3A118	2_2_01B3A118
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B28158	2_2_01B28158
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B32000	2_2_01B32000
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B603E6	2_2_01B603E6
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AAE3F0	2_2_01AAE3F0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5A352	2_2_01B5A352
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B202C0	2_2_01B202C0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B40274	2_2_01B40274
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B60591	2_2_01B60591
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA0535	2_2_01AA0535
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B4E4F6	2_2_01B4E4F6
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B52446	2_2_01B52446
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A9C7C0	2_2_01A9C7C0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA0770	2_2_01AA0770
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AC4750	2_2_01AC4750
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABC6E0	2_2_01ABC6E0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA29A0	2_2_01AA29A0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B6A9A6	2_2_01B6A9A6
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AB6962	2_2_01AB6962
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A868B8	2_2_01A868B8
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ACE8F0	2_2_01ACE8F0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA2840	2_2_01AA2840
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AAA840	2_2_01AAA840
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B56BD7	2_2_01B56BD7
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5AB40	2_2_01B5AB40
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A9EA80	2_2_01A9EA80
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AB8DBF	2_2_01AB8DBF
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A9ADE0	2_2_01A9ADE0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AAAD00	2_2_01AAAD00
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B3CD1F	2_2_01B3CD1F
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B40CB5	2_2_01B40CB5
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A90CF2	2_2_01A90CF2
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA0C00	2_2_01AA0C00
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B1EFA0	2_2_01B1EFA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A92FC8	2_2_01A92FC8
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B42F30	2_2_01B42F30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AE2F28	2_2_01AE2F28
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AC0F30	2_2_01AC0F30
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B14F40	2_2_01B14F40
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5CE93	2_2_01B5CE93
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AB2E90	2_2_01AB2E90
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5EEDB	2_2_01B5EEDB
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5EE26	2_2_01B5EE26
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA0E59	2_2_01AA0E59
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AAB1B0	2_2_01AAB1B0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AD516C	2_2_01AD516C
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A8F172	2_2_01A8F172
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B6B16B	2_2_01B6B16B
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5F0E0	2_2_01B5F0E0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B570E9	2_2_01B570E9
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA70C0	2_2_01AA70C0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B4F0CC	2_2_01B4F0CC
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AE739A	2_2_01AE739A
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5132D	2_2_01B5132D
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A8D34C	2_2_01A8D34C
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA52A0	2_2_01AA52A0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B412ED	2_2_01B412ED
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABD2F0	2_2_01ABD2F0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABB2C0	2_2_01ABB2C0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B3D5B0	2_2_01B3D5B0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B57571	2_2_01B57571
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5F43F	2_2_01B5F43F
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A91460	2_2_01A91460
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5F7B0	2_2_01B5F7B0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B516CC	2_2_01B516CC
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B35910	2_2_01B35910
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA9950	2_2_01AA9950
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABB950	2_2_01ABB950
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA38E0	2_2_01AA38E0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B0D800	2_2_01B0D800
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABFB80	2_2_01ABFB80
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B15BF0	2_2_01B15BF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ADDBF9	2_2_01ADDBF9
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5FB76	2_2_01B5FB76
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AE5AA0	2_2_01AE5AA0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B41AA3	2_2_01B41AA3
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B3DAAC	2_2_01B3DAAC
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B4DAC6	2_2_01B4DAC6
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B13A6C	2_2_01B13A6C
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B57A46	2_2_01B57A46
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5FA49	2_2_01B5FA49
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01ABFDC0	2_2_01ABFDC0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B57D73	2_2_01B57D73
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA3D40	2_2_01AA3D40
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B51D5A	2_2_01B51D5A
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5FCF2	2_2_01B5FCF2
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B19C32	2_2_01B19C32
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5FFB1	2_2_01B5FFB1
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA1F92	2_2_01AA1F92
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01B5FF09	2_2_01B5FF09
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01AA9EB0	2_2_01AA9EB0
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0329634D	6_2_0329634D
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_032ACB42	6_2_032ACB42
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328BFA7	6_2_0328BFA7
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328BFB2	6_2_0328BFB2
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03294632	6_2_03294632
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328BE62	6_2_0328BE62
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328DE72	6_2_0328DE72
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328DC4A	6_2_0328DC4A
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0328DC52	6_2_0328DC52
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05010535	7_2_05010535
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050D0591	7_2_050D0591
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B4420	7_2_050B4420
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C2446	7_2_050C2446
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050BE4F6	7_2_050BE4F6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05034750	7_2_05034750
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05010770	7_2_05010770
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0500C7C0	7_2_0500C7C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502C6E0	7_2_0502C6E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05000100	7_2_05000100
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050AA118	7_2_050AA118
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05098158	7_2_05098158
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050D01AA	7_2_050D01AA
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C41A2	7_2_050C41A2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C81CC	7_2_050C81CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050A2000	7_2_050A2000
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CA352	7_2_050CA352
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050D03E6	7_2_050D03E6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0501E3F0	7_2_0501E3F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B0274	7_2_050B0274
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050902C0	7_2_050902C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0501AD00	7_2_0501AD00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050ACD1F	7_2_050ACD1F
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05028DBF	7_2_05028DBF
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0500ADE0	7_2_0500ADE0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05010C00	7_2_05010C00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B0CB5	7_2_050B0CB5
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05000CF2	7_2_05000CF2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05052F28	7_2_05052F28
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05030F30	7_2_05030F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B2F30	7_2_050B2F30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05084F40	7_2_05084F40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0508EFA0	7_2_0508EFA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05002FC8	7_2_05002FC8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CEE26	7_2_050CEE26
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05010E59	7_2_05010E59
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05022E90	7_2_05022E90
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CCE93	7_2_050CCE93
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CEEDB	7_2_050CEEDB
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04FF68B8	7_2_04FF68B8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05026962	7_2_05026962
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050129A0	7_2_050129A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050DA9A6	7_2_050DA9A6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0501A840	7_2_0501A840
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05012840	7_2_05012840
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0503E8F0	7_2_0503E8F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CAB40	7_2_050CAB40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C6BD7	7_2_050C6BD7
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0500EA80	7_2_0500EA80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C7571	7_2_050C7571
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050AD5B0	7_2_050AD5B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050D95C3	7_2_050D95C3
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CF43F	7_2_050CF43F
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05001460	7_2_05001460
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CF7B0	7_2_050CF7B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05055630	7_2_05055630
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C16CC	7_2_050C16CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050DB16B	7_2_050DB16B
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0504516C	7_2_0504516C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0501B1B0	7_2_0501B1B0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04FFF172	7_2_04FFF172
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050170C0	7_2_050170C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050BF0CC	7_2_050BF0CC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C70E9	7_2_050C70E9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CF0E0	7_2_050CF0E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C132D	7_2_050C132D
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0505739A	7_2_0505739A
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050152A0	7_2_050152A0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04FFD34C	7_2_04FFD34C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502B2C0	7_2_0502B2C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B12ED	7_2_050B12ED
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502D2F0	7_2_0502D2F0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05013D40	7_2_05013D40
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C1D5A	7_2_050C1D5A
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C7D73	7_2_050C7D73
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502FDC0	7_2_0502FDC0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05089C32	7_2_05089C32
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CFCF2	7_2_050CFCF2
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CFF09	7_2_050CFF09
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05011F92	7_2_05011F92
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CFFB1	7_2_050CFFB1
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05019EB0	7_2_05019EB0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050A5910	7_2_050A5910
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05019950	7_2_05019950
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502B950	7_2_0502B950
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0507D800	7_2_0507D800
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050138E0	7_2_050138E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CFB76	7_2_050CFB76
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0502FB80	7_2_0502FB80
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05085BF0	7_2_05085BF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_0504DBF9	7_2_0504DBF9
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050CFA49	7_2_050CFA49
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050C7A46	7_2_050C7A46
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05083A6C	7_2_05083A6C
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_05055AA0	7_2_05055AA0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050ADAAC	7_2_050ADAAC
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050B1AA3	7_2_050B1AA3
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050BDAC6	7_2_050BDAC6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D21C30	7_2_02D21C30
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1CAF0	7_2_02D1CAF0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1CAE8	7_2_02D1CAE8
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1AE50	7_2_02D1AE50
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1AE45	7_2_02D1AE45
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1CD10	7_2_02D1CD10
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D1AD00	7_2_02D1AD00
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D252C0	7_2_02D252C0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D234D0	7_2_02D234D0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D3B9E0	7_2_02D3B9E0
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04DEE770	7_2_04DEE770
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04DEE2B4	7_2_04DEE2B4
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04DEE3D3	7_2_04DEE3D3
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04DED838	7_2_04DED838

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: String function: 01B1F290 appears 103 times
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: String function: 01A8B970 appears 257 times
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: String function: 01AE7E54 appears 99 times
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: String function: 01B0EA12 appears 86 times
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: String function: 01AD5130 appears 58 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 05057E54 appears 107 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 0508F290 appears 103 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 0507EA12 appears 86 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 04FFB970 appears 262 times
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: String function: 05045130 appears 58 times

Sample file is different than original file name gathered from version info

Source: Purchase Order PO.exe, 00000000.00000002.1740596603.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order PO.exe
Source: Purchase Order PO.exe, 00000000.00000002.1744164572.0000000005460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Purchase Order PO.exe
Source: Purchase Order PO.exe, 00000000.00000002.1746019565.0000000007910000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Purchase Order PO.exe
Source: Purchase Order PO.exe, 00000000.00000002.1741702532.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Purchase Order PO.exe
Source: Purchase Order PO.exe, 00000002.00000002.2133689929.0000000001B8D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order PO.exe
Source: Purchase Order PO.exe, 00000002.00000002.2132616252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISOBURN.EXEj% vs Purchase Order PO.exe
Source: Purchase Order PO.exe	Binary or memory string: OriginalFilenameJIjm.exeB vs Purchase Order PO.exe

Uses 32bit PE files

Source: Purchase Order PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Purchase Order PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, RNTHW2S4uo86L5o1JA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, RNTHW2S4uo86L5o1JA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@18/12

Source: C:\Users\user\Desktop\Purchase Order PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order PO.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order PO.exe "C:\Users\user\Desktop\Purchase Order PO.exe"
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process created: C:\Users\user\Desktop\Purchase Order PO.exe "C:\Users\user\Desktop\Purchase Order PO.exe"
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Process created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"
Source: C:\Windows\SysWOW64\isoburn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process created: C:\Users\user\Desktop\Purchase Order PO.exe "C:\Users\user\Desktop\Purchase Order PO.exe"	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Process created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	.Net Code: NZHcFhG3lK System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	.Net Code: NZHcFhG3lK System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_0114EF22 pushad ; iretd	0_2_0114EF29
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_0114EEE0 push eax; iretd	0_2_0114EEE1
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF36D7 push ebx; iretd	0_2_05DF36DA
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 0_2_05DF3AD9 push ebx; retf	0_2_05DF3ADA
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_004148DC pushad ; retf	2_2_004148E4
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_004032C0 push eax; ret	2_2_004032C2
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00426AB3 push es; retf	2_2_00426B5B
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00418ABC push ebx; ret	2_2_00418ABD
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00413BE9 push 00000025h; iretd	2_2_00413BF0
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00417C83 push edx; retf	2_2_00417CC2
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00417D07 push edx; retf	2_2_00417CC2
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00401DE9 pushad ; retf	2_2_00401E17
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00404E1D push 2A89E27Eh; ret	2_2_00404E25
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00415625 push ebp; retf	2_2_00415626
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_00404F61 push ss; ret	2_2_00404F62
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Code function: 2_2_01A909AD push ecx; mov dword ptr [esp], ecx	2_2_01A909B6
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03295B22 push edx; retf	6_2_03295B61
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03295BA6 push edx; retf	6_2_03295B61
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03291A88 push 00000025h; iretd	6_2_03291A8F
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0329695B push ebx; ret	6_2_0329695C
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_032989E9 push cs; retf	6_2_032989EA
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03296F13 push ds; retf	6_2_03296F16
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_0329277B pushad ; retf	6_2_03292783
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03282E00 push ss; ret	6_2_03282E01
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03296ED5 push 00000035h; iretd	6_2_03296EE0
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_032985C0 push ebx; ret	6_2_032985C1
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_03282CBC push 2A89E27Eh; ret	6_2_03282CC4
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	Code function: 6_2_032934C4 push ebp; retf	6_2_032934C5
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_050009AD push ecx; mov dword ptr [esp], ecx	7_2_050009B6
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_04FD1368 push eax; iretd	7_2_04FD1369
Source: C:\Windows\SysWOW64\isoburn.exe	Code function: 7_2_02D303EA push EBE9D31Fh; retf	7_2_02D30403

Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, aqp7ffcvundNltMO2S.cs	High entropy of concatenated method names: 'W5j28NTHW2', 'quo2u86L5o', 'C6b2HsmfaO', 'dDC2aoAqvk', 'B0021VD8hw', 'H4b2kmQhIX', 'UQETmkyP2BoWDqBFAn', 't4vFAQ5aWg1ApxaWuX', 'LNt222dQwy', 'OsU2g4Xa8O'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, DmkAepYXmip3Gmhb5O.cs	High entropy of concatenated method names: 'Dispose', 'rPr2hNTXCp', 'j8mIVStv2N', 'V6X8lEhMdQ', 'jjp2DRj75u', 'C2A2z9277R', 'ProcessDialogKey', 'MhpIZlX3xc', 'LxLI2DIMK3', 'cZlIIAjFbP'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, aVHThLTi1k5mI5OYTR.cs	High entropy of concatenated method names: 'tBo4HVuByT', 'VMC4anYFhd', 'ToString', 'v874L3UONR', 'aGm4YwKGTn', 'lEZ4fj2Rpj', 'iJV4bDreXj', 'm874NXFbMh', 'p1W48c0LwV', 'UDq4u8e79W'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, lpHqI52ckEnRBHScCjq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RHxJRoA02P', 'VYjJiY58aR', 'UPeJel4ggD', 'u67JJyH0sT', 'lAjJAkRWPb', 'OiSJXw7QY0', 'H4iJlr6ZMi'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, FPfKGBzH4SovIoX8LK.cs	High entropy of concatenated method names: 'ouGiQRLbMR', 'ibQiSFa6qx', 'JFfiquOht1', 'qo7iWSNRfj', 'sAViVoZJhv', 'MpTi6sXfV3', 'EDKiUV4VDx', 'KNNilhkCx9', 'yhMiKHYrel', 'LyKiv5Y1Ar'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, cn0aPwq6bsmfaOcDCo.cs	High entropy of concatenated method names: 'LnlfmWY9ux', 'YrxfQMYp9T', 'iSTfSgEpTJ', 'PqKfqj0vQV', 'qwQf1AhqFd', 'RHpfkYQMFO', 'e14f4e60EC', 't0Pf9WO4eR', 'n40fRoDNtd', 'uMPfi2FhKM'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, iy7HYF22gAjNId4ttrA.cs	High entropy of concatenated method names: 'c2viD3XJvD', 'Bbciz5VP0v', 'aHGeZSplID', 'DOae2w9RsB', 'kU4eIKQP6F', 'Y2uegxD7q7', 'OgoecABiVD', 'HLVeo62yMd', 'CUUeLjj3Mc', 'cZceYrpM60'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, RNTHW2S4uo86L5o1JA.cs	High entropy of concatenated method names: 'yxxYjeRac6', 'kyWYrrhirS', 'tmvY3npNwP', 'rg6YToxkKd', 'KO3YnFlKyf', 'aLPY7kfGqt', 'oslYsw3xUj', 'rmfYCiN38s', 'FTWYhynx1d', 'VxMYDa3f3i'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	High entropy of concatenated method names: 'C7lgohYFLH', 'bC8gLtnwFe', 'yhQgYqEbba', 'YyygfTPToq', 'Y9qgbWFhWG', 'lr7gN7OxYW', 'mWKg8fvn8A', 'GQ2guBrTr0', 'Q33gM1L6Ho', 'BHfgH31Q4N'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, jhw04bWmQhIXem2aoS.cs	High entropy of concatenated method names: 'ALwNon5ush', 'XqpNY1mey3', 'ofKNbYVK6o', 'Jh9N8o0FKX', 'XEWNuZSLQF', 'mfcbnNPYFS', 'mi6b7NkaKb', 'NagbsrNJoy', 'w34bC4dErm', 'digbh64w6U'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, X4aqCayM4O0bjg6BHK.cs	High entropy of concatenated method names: 'gX18KsW7ML', 'Kvc8vFDgOf', 'qqk8FA70SX', 'TnH8mYqijo', 'G9G8Gf2OPi', 'jkM8Q1qO6J', 'QyU8wEWLCl', 'pwZ8SIiCNO', 'Bur8qeaOqZ', 'LVv8PWWcdx'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, DAK3xI7QBPJNVvpJA7.cs	High entropy of concatenated method names: 'Q0o4CDuKa9', 'oXl4DrO3pb', 'Hx69ZT7u05', 'A4n92uqWWc', 'F5y4Okqrfk', 't7s4EWDJaK', 'cm44x72v8B', 'he54jNITg2', 'eGL4r8D7Ve', 'avm43LraTv'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, TdMXwk2IOCUbuPKgiCM.cs	High entropy of concatenated method names: 'ToString', 'TjOeS2sw73', 'G1aeqVUgoS', 'VpEePZB1yL', 'EbJeW4yc8H', 'fbIeVWRFOq', 'VgEe03S1SR', 'OjNe6vidZM', 'DxIRpGopRJrsKwtaQao', 'MPu0yyoiQ7gtj94EbUk'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, ysYRXux16dGSwPvXBR.cs	High entropy of concatenated method names: 'CXTpSbACMu', 'M07pqurkA4', 'bslpWdbWXM', 'bKupVdZ7w5', 'lqSp6bWiGo', 'IbYpUI0bwa', 'MIupB7PCEN', 'rIFptjTGUU', 'ATBp5XngTa', 'aOOpOrZRSB'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, L8jdffjmDIPT7Qog1H.cs	High entropy of concatenated method names: 'K4W15mjdRb', 'Gxc1E8J10e', 'OAS1jXU2Rb', 'Eki1r60tUX', 'IkV1V888FI', 'IT510Bsfnn', 'VS416FjlYw', 'UhR1U0FDRD', 'vll1dmAem1', 'no21Bdp5dY'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, O0BJiGs6mRPrNTXCp8.cs	High entropy of concatenated method names: 'LBrR1JTgBt', 'WqvR42eyB5', 'Hl0RRZYAQl', 'X6VRewFVKo', 'A1iRApxifW', 'Rv8RlFJgeV', 'Dispose', 'qBy9LovUHs', 'TV19YC0JRk', 'hCk9fci3oN'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, IE0GcRI72Kb56a0DmM.cs	High entropy of concatenated method names: 'B39FD4Sut', 'nkBmI3g0c', 'uhoQFV2WS', 'd4AwLlOK6', 'RJnqqRgsp', 'GKNP3K53J', 'EHZXVbXNk3nDQ7r7l3', 'fqJwY4tmbwHVcFMwYT', 'gPT9W3t6S', 'uT7ivDwWb'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, vjFbPYDPCvOxXUBpPb.cs	High entropy of concatenated method names: 'tKeifFfoN6', 'SYHibPSqPa', 'yJIiN0QMZh', 'Yvxi81QDtd', 'J7eiR0rWCf', 'EKiiuMgPDP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, OoBgA3fa7Eks4FMyOk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Fu0IhNdXts', 'MpJIDGgfuB', 'bMPIzJRin6', 'zr1gZd2f4l', 'cvMg27alc3', 'TxFgIPCMx9', 'foKgg5HL6v', 'D31eN1vJ7gV3BBnJWmh'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, V5El6G3x7Lp6nDysBU.cs	High entropy of concatenated method names: 'ToString', 'WwYkOJNChY', 'OdkkVFmMER', 'NLAk0S7XX6', 'rB7k6HOF95', 'HeokUjrlmb', 'gDdkdweoNu', 'FKwkBEwenr', 'yZNktqmh4m', 'u1tkyd7W6d'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, hb5C4BBngYsx8EuB68.cs	High entropy of concatenated method names: 'k0v8LqNm5m', 'e2J8f3CBF3', 'MiT8NPqj7y', 'fR7NDOHL0k', 'fLWNzCLchJ', 'eTo8ZbXtmv', 'GhN82Qhorb', 'CZF8IyHKmG', 't4D8g9ofX2', 'SXO8cGVXel'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, vqvkmUP9Q4RtuG00VD.cs	High entropy of concatenated method names: 'GITbGoBEM4', 'x5kbw5mNJd', 'uL1f0SS1Qn', 'ImHf6lh1uw', 'DeffU9RQUu', 'CspfdnOciM', 'hO2fBYfpvy', 'KVvfto91NO', 'gmRfyv6nof', 'FiGf5KTqwv'
Source: 0.2.Purchase Order PO.exe.3eb31a0.3.raw.unpack, olX3xchBxLDIMK3gZl.cs	High entropy of concatenated method names: 'm2nRWKWYPq', 'jPGRVYVqsi', 'tN2R0Kx8IZ', 'K9JR63HY7i', 'wyxRUZBSg8', 'VebRdUjQ4k', 'mdcRBnmJlx', 'jokRteMIFx', 'JQSRyivjFs', 'b3qR569rA7'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, aqp7ffcvundNltMO2S.cs	High entropy of concatenated method names: 'W5j28NTHW2', 'quo2u86L5o', 'C6b2HsmfaO', 'dDC2aoAqvk', 'B0021VD8hw', 'H4b2kmQhIX', 'UQETmkyP2BoWDqBFAn', 't4vFAQ5aWg1ApxaWuX', 'LNt222dQwy', 'OsU2g4Xa8O'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, DmkAepYXmip3Gmhb5O.cs	High entropy of concatenated method names: 'Dispose', 'rPr2hNTXCp', 'j8mIVStv2N', 'V6X8lEhMdQ', 'jjp2DRj75u', 'C2A2z9277R', 'ProcessDialogKey', 'MhpIZlX3xc', 'LxLI2DIMK3', 'cZlIIAjFbP'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, aVHThLTi1k5mI5OYTR.cs	High entropy of concatenated method names: 'tBo4HVuByT', 'VMC4anYFhd', 'ToString', 'v874L3UONR', 'aGm4YwKGTn', 'lEZ4fj2Rpj', 'iJV4bDreXj', 'm874NXFbMh', 'p1W48c0LwV', 'UDq4u8e79W'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, lpHqI52ckEnRBHScCjq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RHxJRoA02P', 'VYjJiY58aR', 'UPeJel4ggD', 'u67JJyH0sT', 'lAjJAkRWPb', 'OiSJXw7QY0', 'H4iJlr6ZMi'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, FPfKGBzH4SovIoX8LK.cs	High entropy of concatenated method names: 'ouGiQRLbMR', 'ibQiSFa6qx', 'JFfiquOht1', 'qo7iWSNRfj', 'sAViVoZJhv', 'MpTi6sXfV3', 'EDKiUV4VDx', 'KNNilhkCx9', 'yhMiKHYrel', 'LyKiv5Y1Ar'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, cn0aPwq6bsmfaOcDCo.cs	High entropy of concatenated method names: 'LnlfmWY9ux', 'YrxfQMYp9T', 'iSTfSgEpTJ', 'PqKfqj0vQV', 'qwQf1AhqFd', 'RHpfkYQMFO', 'e14f4e60EC', 't0Pf9WO4eR', 'n40fRoDNtd', 'uMPfi2FhKM'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, iy7HYF22gAjNId4ttrA.cs	High entropy of concatenated method names: 'c2viD3XJvD', 'Bbciz5VP0v', 'aHGeZSplID', 'DOae2w9RsB', 'kU4eIKQP6F', 'Y2uegxD7q7', 'OgoecABiVD', 'HLVeo62yMd', 'CUUeLjj3Mc', 'cZceYrpM60'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, RNTHW2S4uo86L5o1JA.cs	High entropy of concatenated method names: 'yxxYjeRac6', 'kyWYrrhirS', 'tmvY3npNwP', 'rg6YToxkKd', 'KO3YnFlKyf', 'aLPY7kfGqt', 'oslYsw3xUj', 'rmfYCiN38s', 'FTWYhynx1d', 'VxMYDa3f3i'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, N8UBb3uLZruqHjVZ8x.cs	High entropy of concatenated method names: 'C7lgohYFLH', 'bC8gLtnwFe', 'yhQgYqEbba', 'YyygfTPToq', 'Y9qgbWFhWG', 'lr7gN7OxYW', 'mWKg8fvn8A', 'GQ2guBrTr0', 'Q33gM1L6Ho', 'BHfgH31Q4N'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, jhw04bWmQhIXem2aoS.cs	High entropy of concatenated method names: 'ALwNon5ush', 'XqpNY1mey3', 'ofKNbYVK6o', 'Jh9N8o0FKX', 'XEWNuZSLQF', 'mfcbnNPYFS', 'mi6b7NkaKb', 'NagbsrNJoy', 'w34bC4dErm', 'digbh64w6U'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, X4aqCayM4O0bjg6BHK.cs	High entropy of concatenated method names: 'gX18KsW7ML', 'Kvc8vFDgOf', 'qqk8FA70SX', 'TnH8mYqijo', 'G9G8Gf2OPi', 'jkM8Q1qO6J', 'QyU8wEWLCl', 'pwZ8SIiCNO', 'Bur8qeaOqZ', 'LVv8PWWcdx'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, DAK3xI7QBPJNVvpJA7.cs	High entropy of concatenated method names: 'Q0o4CDuKa9', 'oXl4DrO3pb', 'Hx69ZT7u05', 'A4n92uqWWc', 'F5y4Okqrfk', 't7s4EWDJaK', 'cm44x72v8B', 'he54jNITg2', 'eGL4r8D7Ve', 'avm43LraTv'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, TdMXwk2IOCUbuPKgiCM.cs	High entropy of concatenated method names: 'ToString', 'TjOeS2sw73', 'G1aeqVUgoS', 'VpEePZB1yL', 'EbJeW4yc8H', 'fbIeVWRFOq', 'VgEe03S1SR', 'OjNe6vidZM', 'DxIRpGopRJrsKwtaQao', 'MPu0yyoiQ7gtj94EbUk'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, ysYRXux16dGSwPvXBR.cs	High entropy of concatenated method names: 'CXTpSbACMu', 'M07pqurkA4', 'bslpWdbWXM', 'bKupVdZ7w5', 'lqSp6bWiGo', 'IbYpUI0bwa', 'MIupB7PCEN', 'rIFptjTGUU', 'ATBp5XngTa', 'aOOpOrZRSB'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, L8jdffjmDIPT7Qog1H.cs	High entropy of concatenated method names: 'K4W15mjdRb', 'Gxc1E8J10e', 'OAS1jXU2Rb', 'Eki1r60tUX', 'IkV1V888FI', 'IT510Bsfnn', 'VS416FjlYw', 'UhR1U0FDRD', 'vll1dmAem1', 'no21Bdp5dY'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, O0BJiGs6mRPrNTXCp8.cs	High entropy of concatenated method names: 'LBrR1JTgBt', 'WqvR42eyB5', 'Hl0RRZYAQl', 'X6VRewFVKo', 'A1iRApxifW', 'Rv8RlFJgeV', 'Dispose', 'qBy9LovUHs', 'TV19YC0JRk', 'hCk9fci3oN'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, IE0GcRI72Kb56a0DmM.cs	High entropy of concatenated method names: 'B39FD4Sut', 'nkBmI3g0c', 'uhoQFV2WS', 'd4AwLlOK6', 'RJnqqRgsp', 'GKNP3K53J', 'EHZXVbXNk3nDQ7r7l3', 'fqJwY4tmbwHVcFMwYT', 'gPT9W3t6S', 'uT7ivDwWb'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, vjFbPYDPCvOxXUBpPb.cs	High entropy of concatenated method names: 'tKeifFfoN6', 'SYHibPSqPa', 'yJIiN0QMZh', 'Yvxi81QDtd', 'J7eiR0rWCf', 'EKiiuMgPDP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, OoBgA3fa7Eks4FMyOk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Fu0IhNdXts', 'MpJIDGgfuB', 'bMPIzJRin6', 'zr1gZd2f4l', 'cvMg27alc3', 'TxFgIPCMx9', 'foKgg5HL6v', 'D31eN1vJ7gV3BBnJWmh'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, V5El6G3x7Lp6nDysBU.cs	High entropy of concatenated method names: 'ToString', 'WwYkOJNChY', 'OdkkVFmMER', 'NLAk0S7XX6', 'rB7k6HOF95', 'HeokUjrlmb', 'gDdkdweoNu', 'FKwkBEwenr', 'yZNktqmh4m', 'u1tkyd7W6d'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, hb5C4BBngYsx8EuB68.cs	High entropy of concatenated method names: 'k0v8LqNm5m', 'e2J8f3CBF3', 'MiT8NPqj7y', 'fR7NDOHL0k', 'fLWNzCLchJ', 'eTo8ZbXtmv', 'GhN82Qhorb', 'CZF8IyHKmG', 't4D8g9ofX2', 'SXO8cGVXel'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, vqvkmUP9Q4RtuG00VD.cs	High entropy of concatenated method names: 'GITbGoBEM4', 'x5kbw5mNJd', 'uL1f0SS1Qn', 'ImHf6lh1uw', 'DeffU9RQUu', 'CspfdnOciM', 'hO2fBYfpvy', 'KVvfto91NO', 'gmRfyv6nof', 'FiGf5KTqwv'
Source: 0.2.Purchase Order PO.exe.7910000.5.raw.unpack, olX3xchBxLDIMK3gZl.cs	High entropy of concatenated method names: 'm2nRWKWYPq', 'jPGRVYVqsi', 'tN2R0Kx8IZ', 'K9JR63HY7i', 'wyxRUZBSg8', 'VebRdUjQ4k', 'mdcRBnmJlx', 'jokRteMIFx', 'JQSRyivjFs', 'b3qR569rA7'

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\isoburn.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 79A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 89A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 8B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Memory allocated: 9B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe	Window / User API: threadDelayed 6216			Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Window / User API: threadDelayed 3756			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\isoburn.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\Purchase Order PO.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 4324	Thread sleep count: 6216 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 4324	Thread sleep time: -12432000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 4324	Thread sleep count: 3756 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe TID: 4324	Thread sleep time: -7512000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe TID: 5024	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe TID: 5024	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe TID: 5024	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe TID: 5024	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe TID: 5024	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\isoburn.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\isoburn.exe	Last function: Thread delayed

Source: isoburn.exe, 00000007.00000002.4169460570.0000000003037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`$Dw\
Source: QfgdvbjddZ.exe, 00000008.00000002.4169902840.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: firefox.exe, 00000009.00000002.2436258729.000001B2D7D7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: NULL target: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO.exe	Section loaded: NULL target: C:\Windows\SysWOW64\isoburn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files (x86)\SAmkgsoDaGLUlMXdgHYfokaVNFHsGLOzMJqoobAwaSTwORZJc\QfgdvbjddZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: QfgdvbjddZ.exe, 00000006.00000000.2053668559.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169975849.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4170102889.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: QfgdvbjddZ.exe, 00000006.00000000.2053668559.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169975849.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4170102889.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: QfgdvbjddZ.exe, 00000006.00000000.2053668559.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169975849.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4170102889.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: QfgdvbjddZ.exe, 00000006.00000000.2053668559.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000006.00000002.4169975849.0000000001820000.00000002.00000001.00040000.00000000.sdmp, QfgdvbjddZ.exe, 00000008.00000002.4170102889.0000000001870000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\isoburn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
101.35.209.183	www.yc791022.asia	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
77.68.64.45	www.dietcoffee.online	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	false
146.88.233.115	smartcongress.net	France	53589	PLANETHOSTER-8CA	false
161.97.142.144	www.070002018.xyz	United States	51167	CONTABODE	true
209.74.77.107	www.beyondfitness.live	United States	31744	MULTIBAND-NEWHOPEUS	false
104.21.58.90	www.bser101pp.buzz	United States	13335	CLOUDFLARENETUS	false
108.181.189.7	jalan2.online	Canada	852	ASN852CA	false
31.186.11.114	cyperla.xyz	Turkey	199484	BETAINTERNATIONALTR	true
103.224.182.242	www.madhf.tech	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
194.76.119.60	cstrategy.online	Italy	202675	KELIWEBIT	false
35.220.176.144	www.bienmaigrir.info	United States	15169	GOOGLEUS	false
3.33.130.190	goldstarfootwear.shop	United States	8987	AMAZONEXPANSIONGB	false

Name	Malicious	Antivirus Detection	Reputation
http://www.bienmaigrir.info/7yhf/	false	Avira URL Cloud: safe	unknown
http://www.dietcoffee.online/dm4p/	false	Avira URL Cloud: safe	unknown
http://www.bser101pp.buzz/v89f/?Mr60=vR3kWP+v98PFeIQUj3bnjAJ1ckGUCiAryWjHUGMo4+T5xi8TnNV+jgD2+4ag3QdSrCwOZVBfu0hve5I79B9k2Lg1hTzUbXWqWgu/JIX+7IudMx93vwrkJY0=&o6=SpTPojpx7H	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/6ou6/	false	Avira URL Cloud: safe	unknown
http://www.smartcongress.net/qtfx/?Mr60=KdNk/QG/ntQJ0Ylt7Lyc3znBwC3jfRDsxCMWqIa/89W9m0NHjjmW45E2UxezVHfL5+2nDpZVQ4VEoa9MycOLMlSLf1n7d0xHEmolRusqu1Y7m0apztprjxI=&o6=SpTPojpx7H	false	Avira URL Cloud: safe	unknown
http://www.dietcoffee.online/dm4p/?o6=SpTPojpx7H&Mr60=nAmjXBwFyC120iWGDF5QEkfQ4V9pq4qW/X6vA0SQviJnmQOR7pbzII6Li/fXSuLSC3cdwp3L3c1awzkuuw4A1F2MgfpbEGtSAoSHmNs0Z+rY9P6APqFlZ34=	false	Avira URL Cloud: safe	unknown
http://www.cyperla.xyz/qygv/?o6=SpTPojpx7H&Mr60=PNgLNtFNavTWVACgmh5xCzkhObl4Vn/3Y2lvnmQ+PypmeASZv9aNxFxhHJqyS8bM8Pjr3wsa5/scE4diKg4Wmu6EeWsOoRA0CokgLA8hMNXivrFO8nzFLsU=	false	Avira URL Cloud: safe	unknown
http://www.smartcongress.net/qtfx/	false	Avira URL Cloud: safe	unknown
http://www.yc791022.asia/wu7k/	false	Avira URL Cloud: safe	unknown
http://www.jalan2.online/ykgd/	false	Avira URL Cloud: safe	unknown
http://www.bser101pp.buzz/v89f/	false	Avira URL Cloud: safe	unknown
http://www.madhf.tech/6ou6/?o6=SpTPojpx7H&Mr60=We72k2U8RqyHNx9ftVgFe72GQMu4iuXnCau05KQMUjWmq73IzupFdRGddnmXCSRdMUrkGKdQ0AHY8jBIUc/t5WHt4/FI7OJ+yOIhAl7/LaOCHNokGW9xZfY=	false	Avira URL Cloud: safe	unknown
http://www.070002018.xyz/6m2n/	false	Avira URL Cloud: safe	unknown
http://www.beyondfitness.live/fbpt/?Mr60=sHQWWiJRbY7Czg+qExT5lhETHbNnMxamWGf9ZvbaXe6zmK6gq2rUy+H9V8T+CpeiS8UyZN5qWlRSJl8kNjqw7URZvJro+8N+ASp2jrUizWujex2cueM/JZ0=&o6=SpTPojpx7H	false	Avira URL Cloud: safe	unknown
http://www.goldstarfootwear.shop/8m07/	false	Avira URL Cloud: safe	unknown
http://www.beyondfitness.live/fbpt/	false	Avira URL Cloud: safe	unknown
http://www.cstrategy.online/qx5d/	false	Avira URL Cloud: safe	unknown

Windows Analysis Report Purchase Order PO.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Purchase Order PO.exe

Malware Threat Intel
Provided by

ID:	1560968
Product:	CloudBasic
Start time:	15:10:07
Start date:	22.11.2024
Sample:	Purchase Order PO.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	28d64b4cc91c016c93eb28e1f465efd2
SHA1:	a627004d9e1217d7aa46650f6f7c4e4f085d446b
SHA256:	98ffb783354435168540dc2e8eb4570f865f324169d553ffbad828bf9f33acd3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order PO.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\l420377x	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3