Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 2, 2021, 5:54 p.m. | June 2, 2021, 6:01 p.m. |
-
-
-
taskkill.exe taskkill /im hale.exe /f
1836
-
-
-
attrib.exe attrib -r -a -s -h C:\Windows\system32\hale.exe
2408
-
-
cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
1316 -
-
takeown.exe takeown /f C:\Windows\servicing\TrustedInstaller.exe
2748
-
-
-
icacls.exe icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
1240
-
-
-
bcdedit.exe bcdedit.exe -set testsigning off
2072
-
-
-
sc.exe sc config sppsvc start= delayed-auto
3016
-
-
-
sc.exe sc config sppuinotify start= demand
3036
-
-
-
-
net1.exe C:\Windows\system32\net1 start sppsvc
2680
-
-
-
-
-
net1.exe C:\Windows\system32\net1 start sppuinotify
2364
-
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
2428 -
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
1768 -
-
cscript.exe cscript.exe //nologo C:\Windows\system32\slmgr.vbs -rilc
2776
-
-
-
sc.exe sc stop uodin86
3068
-
-
-
sc.exe sc delete uodin86
2196
-
-
-
sc.exe sc stop uodin64
2780
-
-
-
sc.exe sc delete uodin64
2160
-
-
-
-
net1.exe C:\Windows\system32\net1 stop sppsvc
2340
-
-
-
-
-
net1.exe C:\Windows\system32\net1 stop sppuinotify
1844
-
-
-
-
takeown.exe takeown /f C:\Windows\system32\drivers\uodin86.sys
3192
-
-
-
takeown.exe takeown /f C:\Windows\system32\drivers\uodin64.sys
3284
-
-
-
icacls.exe icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
3376
-
-
-
icacls.exe icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
3468
-
-
cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
3516 -
cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
3560 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\slmgr.vbs
3648
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
3740
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.avisf"
3788 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\user32.dll
3876
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
3968
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.avisf"
4016 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\slwga.dll
1820
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
3176
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.avisf"
3260 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\sppcomapi.dll
3408
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
3532
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.avisf"
3564 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
3744
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
3920
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.avisf"
3980 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\sppuinotify.dll
1048
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
3300
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.avisf"
3372 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\sppwmi.dll
3528
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
1892
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.avisf"
3872 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\systemcpl.dll
3092
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
3100
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.avisf"
3580 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\winlogon.exe
3816
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
3232
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.avisf"
3388 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\winver.exe
3936
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
3556
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.avisf"
3828 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\slui.exe
3572
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
3736
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.avisf"
3724 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
4168
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
4260
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.avisf"
4308 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
4396
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
4488
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.avisf"
4536 -
-
takeown.exe takeown /f C:\Windows\SysWOW64\Wat\*
4624
-
-
-
icacls.exe icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
4712
-
-
-
takeown.exe takeown /f C:\Windows\system32\slmgr.vbs
4804
-
-
-
icacls.exe icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
4896
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.avisf"
4944 -
-
takeown.exe takeown /f C:\Windows\system32\user32.dll
5036
-
-
-
icacls.exe icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
3224
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.avisf"
4180 -
-
takeown.exe takeown /f C:\Windows\system32\slwga.dll
4324
-
-
-
icacls.exe icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
4460
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.avisf"
4484 -
-
takeown.exe takeown /f C:\Windows\system32\sppcomapi.dll
4724
-
-
-
icacls.exe icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
4764
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.avisf"
4936 -
-
takeown.exe takeown /f C:\Windows\system32\sppcommdlg.dll
5076
-
-
-
icacls.exe icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
4172
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.avisf"
4368 -
-
takeown.exe takeown /f C:\Windows\system32\sppuinotify.dll
4492
-
-
-
icacls.exe icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
4716
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.avisf"
4832 -
-
takeown.exe takeown /f C:\Windows\system32\sppwmi.dll
5020
-
-
-
icacls.exe icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
4236
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.avisf"
2180 -
-
takeown.exe takeown /f C:\Windows\system32\systemcpl.dll
4504
-
-
-
icacls.exe icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
2812
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.avisf"
4816 -
-
takeown.exe takeown /f C:\Windows\system32\winlogon.exe
5116
-
-
-
icacls.exe icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
1480
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.avisf"
4464 -
-
takeown.exe takeown /f C:\Windows\system32\winver.exe
4732
-
-
-
icacls.exe icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
2320
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.avisf"
2756 -
-
takeown.exe takeown /f C:\Windows\system32\slui.exe
1740
-
-
-
icacls.exe icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
4956
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.avisf"
2528 -
-
takeown.exe takeown /f C:\Windows\system32\ntkrnlpa.exe
4656
-
-
-
icacls.exe icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
1916
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.avisf"
4128 -
-
takeown.exe takeown /f C:\Windows\system32\ntoskrnl.exe
152
-
-
-
icacls.exe icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
2968
-
-
cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.avisf"
5156 -
-
takeown.exe takeown /f C:\Windows\system32\Wat\*
5244
-
-
-
icacls.exe icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
5332
-
-
cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
5380 -
cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
5424 -
-
reg.exe reg delete HKLM\SOFTWARE\HAL7600 /f
5512
-
-
-
reg.exe reg delete HKLM\SOFTWARE\Chew7 /f
5600
-
-
cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
5644-
reg.exe reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
5688
-
-
-
schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
5776
-
-
-
schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
5896
-
-
-
-
net1.exe C:\Windows\system32\net1 START "Windows Modules Installer"
6032
-
-
-
sfc.exe /scannow
6116
-
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
packer | UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
resource name | PICKLE |
file | C:\undo.bat |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.avisf" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.avisf" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc delete uodin64 2>NUL>NUL" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.avisf" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.avisf" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.avisf" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.avisf" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll" |
cmdline | cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.avisf" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.avisf" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.avisf" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.avisf" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.avisf" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.avisf" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe" |
cmdline | cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F" |
cmdline | bcdedit.exe -set testsigning off |
cmdline | cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.avisf" |
wmi | SELECT Version FROM SoftwareLicensingService |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "hale.exe") |
section | {u'size_of_data': u'0x00044e00', u'virtual_address': u'0x0013e000', u'entropy': 7.9985101505823, u'name': u'UPX1', u'virtual_size': u'0x00045000'} | entropy | 7.99851015058 | description | A section with a high entropy has been found | |||||||||
entropy | 0.912251655629 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | sc stop uodin86 |
cmdline | sc config sppsvc start= delayed-auto |
cmdline | cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc delete uodin64 2>NUL>NUL" |
cmdline | reg delete HKLM\SOFTWARE\HAL7600 /f |
cmdline | cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL" |
cmdline | attrib -r -a -s -h C:\Windows\system32\hale.exe |
cmdline | sc config sppuinotify start= demand |
cmdline | cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL" |
cmdline | cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL" |
cmdline | sc stop uodin64 |
cmdline | cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL" |
cmdline | cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL" |
cmdline | reg delete HKLM\SOFTWARE\Chew7 /f |
cmdline | cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL" |
cmdline | net start sppuinotify |
cmdline | taskkill /im hale.exe /f |
cmdline | cmd.exe /A /C "sc delete uodin86 2>NUL>NUL" |
cmdline | schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f |
cmdline | sc delete uodin86 |
cmdline | cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL" |
cmdline | net stop sppsvc |
cmdline | net stop sppuinotify |
cmdline | cmd.exe /A /C "net start sppsvc 2>NUL>NUL" |
cmdline | net start sppsvc |
cmdline | cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc stop uodin86 2>NUL>NUL" |
cmdline | cmd.exe /A /C "net stop sppsvc 2>NUL>NUL" |
cmdline | cmd.exe /A /C "net start sppuinotify 2>NUL>NUL" |
cmdline | schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f |
cmdline | cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL" |
cmdline | cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc stop uodin64 2>NUL>NUL" |
cmdline | NET START "Windows Modules Installer" |
cmdline | cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL" |
cmdline | cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL" |
cmdline | cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL" |
cmdline | cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL" |
cmdline | reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f |
cmdline | sc delete uodin64 |
host | 95.216.186.40 |
command | cmd.exe /a /c "bcdedit.exe -set testsigning off 2>nul>nul" |
command | bcdedit.exe -set testsigning off |
cmdline | icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F |
cmdline | icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F" |
cmdline | icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F" |
cmdline | cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F" |
FireEye | Generic.mg.c478eded04a9991c |
CAT-QuickHeal | Trojan.IGENERIC |
McAfee | Generic.enl |
Cylance | Unsafe |
K7AntiVirus | Riskware ( 0040eff71 ) |
K7GW | Riskware ( 0040eff71 ) |
ClamAV | Win.Trojan.Agent-571715 |
Sophos | Generic ML PUA (PUA) |
Comodo | Malware@#2iimiars0vfpf |
VIPRE | Trojan-Dropper.Win32.Agent |
TrendMicro | CRCK_WTFIXX |
McAfee-GW-Edition | Generic.enl |
Jiangmin | Trojan.Generic.lyzl |
Antiy-AVL | Trojan/Generic.ASMalwS.9EBDF6 |
Gridinsoft | Trojan.Win32.Agent.ns |
Microsoft | HackTool:Win32/Keygen |
GData | Win32.Trojan.Agent.6LX98Y |
Malwarebytes | Malware.AI.4241508839 |
Zoner | Trojan.Win32.41187 |
TrendMicro-HouseCall | CRCK_WTFIXX |
Yandex | Trojan.DR.Agent!SvZzQuCCNgI |
MaxSecure | Trojan.Malware.300983.susgen |
Webroot | W32.Dropper.Gen |
Panda | Generic Malware |
CrowdStrike | win/malicious_confidence_60% (W) |