| ZeroBOX

fontWinRuntimecrtNetrefruntimedll.exe "C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe"
2388
- schtasks.exe "schtasks" /create /tn "fontWinRuntimecrtNetrefruntimedll" /sc ONLOGON /tr "'C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C)\fontWinRuntimecrtNetrefruntimedll.exe'" /rl HIGHEST /f
  2760
- schtasks.exe "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\C_20932\wininit.exe'" /rl HIGHEST /f
  1420
- schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
  2576
- schtasks.exe "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
  2200
- schtasks.exe "schtasks" /create /tn "srvany" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wscript\srvany.exe'" /rl HIGHEST /f
  2332
- fontWinRuntimecrtNetrefruntimedll.exe "C:\Users\test22\AppData\Local\Temp\fontWinRuntimecrtNetrefruntimedll.exe"
  2888
  - schtasks.exe "schtasks" /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\SearchIndexer.exe'" /rl HIGHEST /f
    240
  - schtasks.exe "schtasks" /create /tn "pw" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\pw.exe'" /rl HIGHEST /f
    2064
  - schtasks.exe "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Templates\smss.exe'" /rl HIGHEST /f
    1032
  - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
    1232
  - schtasks.exe "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_500\taskhost.exe'" /rl HIGHEST /f
    1896
  - schtasks.exe "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIPICMP\WmiPrvSE.exe'" /rl HIGHEST /f
    2608
  - schtasks.exe "schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ab7d780a-0706-11e8-9512-b992fd7a33be\winlogon.exe'" /rl HIGHEST /f
    916
  - schtasks.exe "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\util\ProcessMonitor\explorer.exe'" /rl HIGHEST /f
    2092
  - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\E9yULbl2mt.bat"
    1768
    - chcp.com chcp 65001
      2316
    - PING.EXE ping -n 5 localhost
      2520
    - WmiPrvSE.exe "C:\PerfLogs\Admin\WmiPrvSE.exe"
      2680

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents