Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 2, 2021, 5:54 p.m.	June 2, 2021, 6:01 p.m.

Size	680.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5	`c478eded04a9991cc55a34ae81037518`
SHA256	`072564032ee87832c3c73d8aa0f6336af0f257d20f95bac937cbad1a0e2b6c99`
CRC32	`19B17878`
ssdeep	`12288:/1MX89GjRX3rtCqHTNSWkoSGDVr/LhCKJuG3Di1On4xLIuWV355FXw/+e4wCu+2K:9Ms9mRXbnNSSiGaIuWV355FXw/+e4wC3`
Yara	Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description)

WAT%20Fix.exe "C:\Users\test22\AppData\Local\Temp\WAT%20Fix.exe"
1108
- cmd.exe cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
  1824
  - taskkill.exe taskkill /im hale.exe /f
    1836
- cmd.exe cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL"
  2932
  - attrib.exe attrib -r -a -s -h C:\Windows\system32\hale.exe
    2408
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
  1316
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\servicing\TrustedInstaller.exe"
  2412
  - takeown.exe takeown /f C:\Windows\servicing\TrustedInstaller.exe
    2748
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
  2564
  - icacls.exe icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
    1240
- cmd.exe cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
  732
  - bcdedit.exe bcdedit.exe -set testsigning off
    2072
- cmd.exe cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
  1444
  - sc.exe sc config sppsvc start= delayed-auto
    3016
- cmd.exe cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
  2908
  - sc.exe sc config sppuinotify start= demand
    3036
- cmd.exe cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
  2692
  - net.exe net start sppsvc
    2332
    - net1.exe C:\Windows\system32\net1 start sppsvc
      2680
- cmd.exe cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
  596
  - net.exe net start sppuinotify
    260
    - net1.exe C:\Windows\system32\net1 start sppuinotify
      2364
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2428
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  1768
- cmd.exe cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL"
  2256
  - cscript.exe cscript.exe //nologo C:\Windows\system32\slmgr.vbs -rilc
    2776
- cmd.exe cmd.exe /A /C "sc stop uodin86 2>NUL>NUL"
  2060
  - sc.exe sc stop uodin86
    3068
- cmd.exe cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"
  412
  - sc.exe sc delete uodin86
    2196
- cmd.exe cmd.exe /A /C "sc stop uodin64 2>NUL>NUL"
  2212
  - sc.exe sc stop uodin64
    2780
- cmd.exe cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
  1304
  - sc.exe sc delete uodin64
    2160
- cmd.exe cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
  2140
  - net.exe net stop sppsvc
    2632
    - net1.exe C:\Windows\system32\net1 stop sppsvc
      2340
- cmd.exe cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
  1908
  - net.exe net stop sppuinotify
    1040
    - net1.exe C:\Windows\system32\net1 stop sppuinotify
      1844
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin86.sys"
  3148
  - takeown.exe takeown /f C:\Windows\system32\drivers\uodin86.sys
    3192
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin64.sys"
  3240
  - takeown.exe takeown /f C:\Windows\system32\drivers\uodin64.sys
    3284
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
  3332
  - icacls.exe icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
    3376
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
  3424
  - icacls.exe icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
    3468
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
  3516
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
  3560
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slmgr.vbs"
  3604
  - takeown.exe takeown /f C:\Windows\SysWOW64\slmgr.vbs
    3648
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slmgr.vbs /grant *S-1-1-0:F"
  3696
  - icacls.exe icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
    3740
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.avisf"
  3788
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\user32.dll"
  3832
  - takeown.exe takeown /f C:\Windows\SysWOW64\user32.dll
    3876
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
  3924
  - icacls.exe icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
    3968
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.avisf"
  4016
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slwga.dll"
  4060
  - takeown.exe takeown /f C:\Windows\SysWOW64\slwga.dll
    1820
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
  2192
  - icacls.exe icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
    3176
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.avisf"
  3260
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
  3288
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppcomapi.dll
    3408
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
  3484
  - icacls.exe icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
    3532
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.avisf"
  3564
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcommdlg.dll"
  3712
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
    3744
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
  3852
  - icacls.exe icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
    3920
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.avisf"
  3980
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppuinotify.dll"
  4048
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppuinotify.dll
    1048
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
  3164
  - icacls.exe icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
    3300
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.avisf"
  3372
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppwmi.dll"
  3512
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppwmi.dll
    3528
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
  3676
  - icacls.exe icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
    1892
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.avisf"
  3872
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\systemcpl.dll"
  3972
  - takeown.exe takeown /f C:\Windows\SysWOW64\systemcpl.dll
    3092
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\systemcpl.dll /grant *S-1-1-0:F"
  3204
  - icacls.exe icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
    3100
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.avisf"
  3580
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
  3500
  - takeown.exe takeown /f C:\Windows\SysWOW64\winlogon.exe
    3816
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"
  4036
  - icacls.exe icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
    3232
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.avisf"
  3388
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winver.exe"
  3688
  - takeown.exe takeown /f C:\Windows\SysWOW64\winver.exe
    3936
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
  2440
  - icacls.exe icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
    3556
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.avisf"
  3828
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slui.exe"
  3360
  - takeown.exe takeown /f C:\Windows\SysWOW64\slui.exe
    3572
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
  3312
  - icacls.exe icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
    3736
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.avisf"
  3724
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
  4124
  - takeown.exe takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
    4168
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
  4216
  - icacls.exe icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
    4260
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.avisf"
  4308
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
  4352
  - takeown.exe takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
    4396
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
  4444
  - icacls.exe icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
    4488
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.avisf"
  4536
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
  4580
  - takeown.exe takeown /f C:\Windows\SysWOW64\Wat\*
    4624
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
  4668
  - icacls.exe icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
    4712
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slmgr.vbs"
  4760
  - takeown.exe takeown /f C:\Windows\system32\slmgr.vbs
    4804
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
  4852
  - icacls.exe icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
    4896
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.avisf"
  4944
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\user32.dll"
  4992
  - takeown.exe takeown /f C:\Windows\system32\user32.dll
    5036
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
  5084
  - icacls.exe icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
    3224
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.avisf"
  4180
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slwga.dll"
  4248
  - takeown.exe takeown /f C:\Windows\system32\slwga.dll
    4324
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
  4416
  - icacls.exe icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
    4460
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.avisf"
  4484
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
  4608
  - takeown.exe takeown /f C:\Windows\system32\sppcomapi.dll
    4724
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
  4788
  - icacls.exe icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
    4764
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.avisf"
  4936
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcommdlg.dll"
  5008
  - takeown.exe takeown /f C:\Windows\system32\sppcommdlg.dll
    5076
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
  4136
  - icacls.exe icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
    4172
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.avisf"
  4368
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppuinotify.dll"
  4400
  - takeown.exe takeown /f C:\Windows\system32\sppuinotify.dll
    4492
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppuinotify.dll /grant *S-1-1-0:F"
  4652
  - icacls.exe icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
    4716
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.avisf"
  4832
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
  4872
  - takeown.exe takeown /f C:\Windows\system32\sppwmi.dll
    5020
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppwmi.dll /grant *S-1-1-0:F"
  4156
  - icacls.exe icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
    4236
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.avisf"
  2180
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
  2868
  - takeown.exe takeown /f C:\Windows\system32\systemcpl.dll
    4504
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
  1272
  - icacls.exe icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
    2812
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.avisf"
  4816
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
  4844
  - takeown.exe takeown /f C:\Windows\system32\winlogon.exe
    5116
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
  4272
  - icacls.exe icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
    1480
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.avisf"
  4464
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
  4696
  - takeown.exe takeown /f C:\Windows\system32\winver.exe
    4732
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\winver.exe /grant *S-1-1-0:F"
  4980
  - icacls.exe icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
    2320
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.avisf"
  2756
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slui.exe"
  3104
  - takeown.exe takeown /f C:\Windows\system32\slui.exe
    1740
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
  4800
  - icacls.exe icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
    4956
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.avisf"
  2528
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntkrnlpa.exe"
  812
  - takeown.exe takeown /f C:\Windows\system32\ntkrnlpa.exe
    4656
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
  4208
  - icacls.exe icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
    1916
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.avisf"
  4128
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
  2380
  - takeown.exe takeown /f C:\Windows\system32\ntoskrnl.exe
    152
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
  2992
  - icacls.exe icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
    2968
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.avisf"
  5156
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
  5200
  - takeown.exe takeown /f C:\Windows\system32\Wat\*
    5244
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\Wat\* /grant *S-1-1-0:F"
  5288
  - icacls.exe icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
    5332
- cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
  5380
- cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
  5424
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
  5468
  - reg.exe reg delete HKLM\SOFTWARE\HAL7600 /f
    5512
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
  5556
  - reg.exe reg delete HKLM\SOFTWARE\Chew7 /f
    5600
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
  5644
  - reg.exe reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
    5688
- cmd.exe cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
  5732
  - schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
    5776
- cmd.exe cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL"
  5828
  - schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
    5896
- cmd.exe cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
  5944
  - net.exe NET START "Windows Modules Installer"
    5988
    - net1.exe C:\Windows\system32\net1 START "Windows Modules Installer"
      6032
- sfc.exe /scannow
  6116

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
95.216.186.40	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (36 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 2, 2021, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 5:53 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 2, 2021, 5:54 p.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: Version: Windows 7 Professional N (x64) console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: Build: 7601.win7sp1_rtm.101119-1850 console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: ** This application will reboot the system automatically once complete. console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: ** Do not close this application or shutdown your system. console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: Correcting the hosts file... console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:54 p.m.	buffer: Correcting file permissions... console_handle: 0x00000013	1	1
WriteConsoleA June 2, 2021, 5:56 p.m.	buffer: Correcting modified files... console_handle: 0x00000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 2, 2021, 5:54 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PICKLE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 2, 2021, 5:54 p.m.	stacktrace: Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x76a7c6d7 0x201113e 0x200ce16 RuntimeGetStdErr+0x35a DaemonizeApp-0xc6 wat%20fix+0xd322a @ 0x4d322a enableMenuItems+0x1be StringLeft-0x712 wat%20fix+0x2e13e @ 0x42e13e enableMenuItems+0x22b StringLeft-0x6a5 wat%20fix+0x2e1ab @ 0x42e1ab RuntimeRun+0x35 RuntimeNilObject-0x6b wat%20fix+0x2d445 @ 0x42d445 0x1fe1009 0x1fe0319 0x1fe0024 serialClearBreak+0x1c03 RuntimeSetApplicationPath-0x32d wat%20fix+0x2cc03 @ 0x42cc03 enableMenuItems+0xe5 StringLeft-0x7eb wat%20fix+0x2e065 @ 0x42e065 VariantToObject+0x775a wat%20fix+0xf283a @ 0x4f283a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08 exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d exception.instruction: mov dword ptr [ecx], edx exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 410461 exception.address: 0x7740435d registers.esp: 1632304 registers.edi: 0 registers.eax: 0 registers.ebp: 1632348 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 2, 2021, 5:54 p.m.

stacktrace:

Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x76a7c6d7
0x201113e
0x200ce16
RuntimeGetStdErr+0x35a DaemonizeApp-0xc6 wat%20fix+0xd322a @ 0x4d322a
enableMenuItems+0x1be StringLeft-0x712 wat%20fix+0x2e13e @ 0x42e13e
enableMenuItems+0x22b StringLeft-0x6a5 wat%20fix+0x2e1ab @ 0x42e1ab
RuntimeRun+0x35 RuntimeNilObject-0x6b wat%20fix+0x2d445 @ 0x42d445
0x1fe1009
0x1fe0319
0x1fe0024
serialClearBreak+0x1c03 RuntimeSetApplicationPath-0x32d wat%20fix+0x2cc03 @ 0x42cc03
enableMenuItems+0xe5 StringLeft-0x7eb wat%20fix+0x2e065 @ 0x42e065
VariantToObject+0x775a wat%20fix+0xf283a @ 0x4f283a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08
exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d
exception.instruction: mov dword ptr [ecx], edx
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 410461
exception.address: 0x7740435d
registers.esp: 1632304
registers.edi: 0
registers.eax: 0
registers.ebp: 1632348
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 2, 2021, 5:54 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 2, 2021, 5:54 p.m.	process_identifier: 1108 region_size: 253952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 2, 2021, 5:47 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\undo.bat

Creates a suspicious process (50 out of 118 events)

cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.avisf"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.avisf"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.avisf"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.avisf"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.avisf"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.avisf"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.avisf"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.avisf"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.avisf"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.avisf"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.avisf"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.avisf"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
cmdline	bcdedit.exe -set testsigning off
cmdline	cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.avisf"

Executes one or more WMI queries (2 events)

wmi	SELECT Version FROM SoftwareLicensingService
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "hale.exe")

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 2, 2021, 5:54 p.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044e00', u'virtual_address': u'0x0013e000', u'entropy': 7.9985101505823, u'name': u'UPX1', u'virtual_size': u'0x00045000'}

entropy

7.99851015058

description

A section with a high entropy has been found

entropy

0.912251655629

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (30 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 2, 2021, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:47 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:52 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:52 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:52 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:52 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:52 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 2, 2021, 5:53 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (43 events)

cmdline	sc stop uodin86
cmdline	sc config sppsvc start= delayed-auto
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
cmdline	reg delete HKLM\SOFTWARE\HAL7600 /f
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
cmdline	attrib -r -a -s -h C:\Windows\system32\hale.exe
cmdline	sc config sppuinotify start= demand
cmdline	cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
cmdline	sc stop uodin64
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
cmdline	reg delete HKLM\SOFTWARE\Chew7 /f
cmdline	cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
cmdline	net start sppuinotify
cmdline	taskkill /im hale.exe /f
cmdline	cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"
cmdline	schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
cmdline	sc delete uodin86
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
cmdline	net stop sppsvc
cmdline	net stop sppuinotify
cmdline	cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
cmdline	net start sppsvc
cmdline	cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc stop uodin86 2>NUL>NUL"
cmdline	cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
cmdline	cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
cmdline	schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
cmdline	cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL"
cmdline	cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc stop uodin64 2>NUL>NUL"
cmdline	NET START "Windows Modules Installer"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
cmdline	reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
cmdline	sc delete uodin64

Communicates with host for which no DNS query was performed (1 event)

host

95.216.186.40

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService June 2, 2021, 5:52 p.m.	service_handle: 0x000000000036f2d0 service_name: None control_code: 1	1	1	0
ControlService June 2, 2021, 5:52 p.m.	service_handle: 0x000000000043f340 service_name: None control_code: 1	1	1	0

Modifies boot configuration settings (2 events)

command	cmd.exe /a /c "bcdedit.exe -set testsigning off 2>nul>nul"
command	bcdedit.exe -set testsigning off

Uses suspicious command line tools or Windows utilities (50 out of 62 events)

cmdline	icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

FireEye	Generic.mg.c478eded04a9991c
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Generic.enl
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
ClamAV	Win.Trojan.Agent-571715
Sophos	Generic ML PUA (PUA)
Comodo	Malware@#2iimiars0vfpf
VIPRE	Trojan-Dropper.Win32.Agent
TrendMicro	CRCK_WTFIXX
McAfee-GW-Edition	Generic.enl
Jiangmin	Trojan.Generic.lyzl
Antiy-AVL	Trojan/Generic.ASMalwS.9EBDF6
Gridinsoft	Trojan.Win32.Agent.ns
Microsoft	HackTool:Win32/Keygen
GData	Win32.Trojan.Agent.6LX98Y
Malwarebytes	Malware.AI.4241508839
Zoner	Trojan.Win32.41187
TrendMicro-HouseCall	CRCK_WTFIXX
Yandex	Trojan.DR.Agent!SvZzQuCCNgI
MaxSecure	Trojan.Malware.300983.susgen
Webroot	W32.Dropper.Gen
Panda	Generic Malware
CrowdStrike	win/malicious_confidence_60% (W)

WAT%20Fix.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All