| ZeroBOX

lega.exe "C:\Users\test22\AppData\Local\Temp\lega.exe"
1704
- zap6859.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\zap6859.exe
  2132
  - zap9306.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\zap9306.exe
    2176
    - zap5462.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\zap5462.exe
      2244
      - tz9648.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\tz9648.exe
        2312
      - v7412DB.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\v7412DB.exe
        2756
    - w78XP44.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\w78XP44.exe
      2804
  - xnmXr68.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\xnmXr68.exe
    2856
- y53BD64.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\y53BD64.exe
  2088
  - oneetx.exe "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe"
    1208
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
      2120
    - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "test22:N"&&CACLS "..\c5d2db5804" /P "test22:R" /E&&Exit
      2512
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2784
      - cacls.exe CACLS "oneetx.exe" /P "test22:N"
        2840
      - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
        2216
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2412
      - cacls.exe CACLS "..\c5d2db5804" /P "test22:N"
        2720
      - cacls.exe CACLS "..\c5d2db5804" /P "test22:R" /E
        3016
    - 123dsss.exe "C:\Users\test22\AppData\Local\Temp\1000003001\123dsss.exe"
      2904
    - Tarlatan.exe "C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe"
      2188
      - Tarlatan.exe C:\Users\test22\AppData\Local\Temp\1000004001\Tarlatan.exe
        2484
    - Gmeyad.exe "C:\Users\test22\AppData\Local\Temp\1000007001\Gmeyad.exe"
      2876
    - 2023.exe "C:\Users\test22\AppData\Local\Temp\1000011001\2023.exe"
      2716
      - cmd.exe cmd.exe /c "wmic csproduct get uuid"
        2292
        
        WMIC.exe wmic csproduct get uuid
        2264
      - WMIC.exe wmic os get Caption
        184
      - cmd.exe cmd /C "wmic path win32_VideoController get name"
        2344
        
        WMIC.exe wmic path win32_VideoController get name
        288
      - cmd.exe cmd /C "wmic cpu get name"
        2868
        
        WMIC.exe wmic cpu get name
        1780
      - cmd.exe cmd "/c " systeminfo
        2300
        
        systeminfo.exe systeminfo
        2992
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\" \"C:\Users\test22\AppData\Local\Temp\XVlBzgbaiC\""
        3140
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies\" \"C:\Users\test22\AppData\Local\Temp\MRAjWwhTHc\""
        3300
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\tcuAxhxKQFDaFpL\""
        3404
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\test22\AppData\Local\Temp\SjFbcXoEFf\""
        3508
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\RsWxPLDnJObCsNV\""
        3608
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\test22\AppData\Local\Temp\lgTeMaPEZQ\""
        3704
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\leQYhYzRyWJjPjz\""
        3800
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data\" \"C:\Users\test22\AppData\Local\Temp\pfRFEgmota\""
        3896
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\FetHsbZRjxAwnwe\""
        3992
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\krBEmfdzdc\""
        4088
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\test22\AppData\Local\Temp\EkXBAkjQZLCtTMt\""
        2504
      - powershell.exe powershell "" "copy \"C:\Users\test22\AppData\Local\Microsoft\Windows\History\" \"C:\Users\test22\AppData\Local\Temp\TCoaNatyyi\""
        1480
    - w.exe "C:\Users\test22\AppData\Local\Temp\1000012001\w.exe"
      1684
    - tmpBEB8.exe "C:\Users\test22\AppData\Local\Temp\1000017001\tmpBEB8.exe"
      3032
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      3356
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents