Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 7, 2024, 11:28 a.m.	Dec. 7, 2024, 11:30 a.m.

Size	686.4KB
Type	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5	`0a1023d7fd543f6b73ad2a4ca553bba1`
SHA256	`d2bef451a44457ef4b1da38982f568e1e75402fbd2fedc6eaa5f761cd6a5e751`
CRC32	`23C358BB`
ssdeep	`12288:B1MX89GjRX3rtCqHTNSnSoSGDVryXhJh7zIuU1On4xLIuWV355FXw/+e4wCu+2Gb:TMs9mRXbnNSnkqIuWV355FXw/+e4wCuK`
Yara	Antivirus - Contains references to security software IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

WAT Fix.exe "C:\Users\test22\AppData\Local\Temp\WAT Fix.exe"
2552
- cmd.exe cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
  2656
  - taskkill.exe taskkill /im hale.exe /f
    2700
- cmd.exe cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL"
  2828
  - attrib.exe attrib -r -a -s -h C:\Windows\system32\hale.exe
    2872
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
  2916
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\servicing\TrustedInstaller.exe"
  2960
  - takeown.exe takeown /f C:\Windows\servicing\TrustedInstaller.exe
    3004
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
  3052
  - icacls.exe icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
    2056
- cmd.exe cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
  1728
  - bcdedit.exe bcdedit.exe -set testsigning off
    2136
- cmd.exe cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
  2188
  - sc.exe sc config sppsvc start= delayed-auto
    2252
- cmd.exe cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
  2408
  - sc.exe sc config sppuinotify start= demand
    2520
- cmd.exe cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
  2568
  - net.exe net start sppsvc
    2688
    - net1.exe C:\Windows\system32\net1 start sppsvc
      2632
- cmd.exe cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
  2752
  - net.exe net start sppuinotify
    2856
    - net1.exe C:\Windows\system32\net1 start sppuinotify
      2936
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  3000
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2080
- cmd.exe cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL"
  2100
  - cscript.exe cscript.exe //nologo C:\Windows\system32\slmgr.vbs -rilc
    2064
- cmd.exe cmd.exe /A /C "sc stop uodin86 2>NUL>NUL"
  2956
  - sc.exe sc stop uodin86
    3032
- cmd.exe cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"
  1152
  - sc.exe sc delete uodin86
    2744
- cmd.exe cmd.exe /A /C "sc stop uodin64 2>NUL>NUL"
  204
  - sc.exe sc stop uodin64
    1576
- cmd.exe cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
  1852
  - sc.exe sc delete uodin64
    2420
- cmd.exe cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
  1616
  - net.exe net stop sppsvc
    936
    - net1.exe C:\Windows\system32\net1 stop sppsvc
      2760
- cmd.exe cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
  2972
  - net.exe net stop sppuinotify
    2920
    - net1.exe C:\Windows\system32\net1 stop sppuinotify
      452
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin86.sys"
  1780
  - takeown.exe takeown /f C:\Windows\system32\drivers\uodin86.sys
    2580
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\drivers\uodin64.sys"
  2008
  - takeown.exe takeown /f C:\Windows\system32\drivers\uodin64.sys
    2012
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
  1120
  - icacls.exe icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
    1560
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
  1520
  - icacls.exe icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
    2636
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
  2776
- cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
  1920
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slmgr.vbs"
  1512
  - takeown.exe takeown /f C:\Windows\SysWOW64\slmgr.vbs
    1364
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slmgr.vbs /grant *S-1-1-0:F"
  176
  - icacls.exe icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
    916
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.ngmvy"
  1376
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\user32.dll"
  3044
  - takeown.exe takeown /f C:\Windows\SysWOW64\user32.dll
    2216
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
  1668
  - icacls.exe icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
    544
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.ngmvy"
  3104
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slwga.dll"
  3148
  - takeown.exe takeown /f C:\Windows\SysWOW64\slwga.dll
    3192
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
  3240
  - icacls.exe icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
    3284
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.ngmvy"
  3332
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
  3400
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppcomapi.dll
    3444
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
  3492
  - icacls.exe icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
    3536
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.ngmvy"
  3584
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcommdlg.dll"
  3628
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
    3672
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
  3720
  - icacls.exe icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
    3764
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.ngmvy"
  3812
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppuinotify.dll"
  3856
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppuinotify.dll
    3900
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
  3948
  - icacls.exe icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
    3992
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.ngmvy"
  4040
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppwmi.dll"
  4084
  - takeown.exe takeown /f C:\Windows\SysWOW64\sppwmi.dll
    1848
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
  3180
  - icacls.exe icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
    3232
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.ngmvy"
  3316
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\systemcpl.dll"
  3360
  - takeown.exe takeown /f C:\Windows\SysWOW64\systemcpl.dll
    3432
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\systemcpl.dll /grant *S-1-1-0:F"
  3512
  - icacls.exe icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
    3576
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.ngmvy"
  3640
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
  3676
  - takeown.exe takeown /f C:\Windows\SysWOW64\winlogon.exe
    3796
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"
  3852
  - icacls.exe icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
    3928
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.ngmvy"
  4012
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winver.exe"
  4052
  - takeown.exe takeown /f C:\Windows\SysWOW64\winver.exe
    2084
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
  3272
  - icacls.exe icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
    3364
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.ngmvy"
  3404
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slui.exe"
  3496
  - takeown.exe takeown /f C:\Windows\SysWOW64\slui.exe
    3660
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
  3804
  - icacls.exe icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
    3916
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.ngmvy"
  4036
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
  2168
  - takeown.exe takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
    3456
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
  3440
  - icacls.exe icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
    3760
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.ngmvy"
  3968
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
  4080
  - takeown.exe takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
    3312
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
  3712
  - icacls.exe icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
    3932
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.ngmvy"
  3524
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
  3844
  - takeown.exe takeown /f C:\Windows\SysWOW64\Wat\*
    3920
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
  3860
  - icacls.exe icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
    3208
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slmgr.vbs"
  3168
  - takeown.exe takeown /f C:\Windows\system32\slmgr.vbs
    740
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
  4136
  - icacls.exe icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
    4180
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.ngmvy"
  4228
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\user32.dll"
  4272
  - takeown.exe takeown /f C:\Windows\system32\user32.dll
    4316
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
  4388
  - icacls.exe icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
    4436
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.ngmvy"
  4544
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slwga.dll"
  4636
  - takeown.exe takeown /f C:\Windows\system32\slwga.dll
    4696
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
  4784
  - icacls.exe icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
    4828
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.ngmvy"
  4888
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
  4932
  - takeown.exe takeown /f C:\Windows\system32\sppcomapi.dll
    4980
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
  5032
  - icacls.exe icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
    5076
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.ngmvy"
  4108
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcommdlg.dll"
  4148
  - takeown.exe takeown /f C:\Windows\system32\sppcommdlg.dll
    4220
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
  4288
  - icacls.exe icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
    4384
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.ngmvy"
  4448
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppuinotify.dll"
  4520
  - takeown.exe takeown /f C:\Windows\system32\sppuinotify.dll
    4632
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppuinotify.dll /grant *S-1-1-0:F"
  4668
  - icacls.exe icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
    1708
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.ngmvy"
  4860
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
  4916
  - takeown.exe takeown /f C:\Windows\system32\sppwmi.dll
    5012
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\sppwmi.dll /grant *S-1-1-0:F"
  5044
  - icacls.exe icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
    2344
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.ngmvy"
  3348
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
  1040
  - takeown.exe takeown /f C:\Windows\system32\systemcpl.dll
    4168
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
  2652
  - icacls.exe icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
    4392
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.ngmvy"
  4548
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
  1832
  - takeown.exe takeown /f C:\Windows\system32\winlogon.exe
    4880
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
  5024
  - icacls.exe icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
    5088
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.ngmvy"
  4128
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
  4156
  - takeown.exe takeown /f C:\Windows\system32\winver.exe
    4336
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\winver.exe /grant *S-1-1-0:F"
  4516
  - icacls.exe icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
    1868
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.ngmvy"
  4756
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\slui.exe"
  4952
  - takeown.exe takeown /f C:\Windows\system32\slui.exe
    1172
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
  5064
  - icacls.exe icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
    252
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntkrnlpa.exe"
  4728
  - takeown.exe takeown /f C:\Windows\system32\ntkrnlpa.exe
    4672
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
  5028
  - icacls.exe icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
    4224
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.ngmvy"
  4416
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
  5108
  - takeown.exe takeown /f C:\Windows\system32\ntoskrnl.exe
    4260
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
  4464
  - icacls.exe icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
    4656
- cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.ngmvy"
  4512
- cmd.exe cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
  1872
  - takeown.exe takeown /f C:\Windows\system32\Wat\*
    2128
- cmd.exe cmd.exe /A /C "icacls %SystemRoot%\system32\Wat\* /grant *S-1-1-0:F"
  4348
  - icacls.exe icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
    5124
- cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
  5196
- cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
  5240
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
  5284
  - reg.exe reg delete HKLM\SOFTWARE\HAL7600 /f
    5328
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
  5372
  - reg.exe reg delete HKLM\SOFTWARE\Chew7 /f
    5416
- cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
  5460
  - reg.exe reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
    5504
- cmd.exe cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
  5548
  - schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
    5592
- cmd.exe cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL"
  5640
  - schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
    5684
- cmd.exe cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
  5732
  - net.exe NET START "Windows Modules Installer"
    5776
    - net1.exe C:\Windows\system32\net1 START "Windows Modules Installer"
      5820
- sfc.exe /scanfile=C:\Windows\SysWOW64\slmgr.vbs
  5900
- sfc.exe /scanfile=C:\Windows\System32\slmgr.vbs
  5980
- sfc.exe /scanfile=C:\Windows\SysWOW64\user32.dll
  6080
- sfc.exe /scanfile=C:\Windows\System32\user32.dll
  5156
- sfc.exe /scanfile=C:\Windows\SysWOW64\slwga.dll
  5256
- sfc.exe /scanfile=C:\Windows\System32\slwga.dll
  5324
- sfc.exe /scanfile=C:\Windows\SysWOW64\sppcomapi.dll
  5492
- sfc.exe /scanfile=C:\Windows\System32\sppcomapi.dll
  5624
- sfc.exe /scanfile=C:\Windows\SysWOW64\sppcommdlg.dll
  5688
- sfc.exe /scanfile=C:\Windows\System32\sppcommdlg.dll
  5892
- sfc.exe /scanfile=C:\Windows\SysWOW64\sppuinotify.dll
  5952
- sfc.exe /scanfile=C:\Windows\System32\sppuinotify.dll
  6024
- sfc.exe /scanfile=C:\Windows\SysWOW64\sppwmi.dll
  5168
- sfc.exe /scanfile=C:\Windows\System32\sppwmi.dll
  5340
- sfc.exe /scanfile=C:\Windows\SysWOW64\systemcpl.dll
  5436
- sfc.exe /scanfile=C:\Windows\System32\systemcpl.dll
  5656
- sfc.exe /scanfile=C:\Windows\SysWOW64\winlogon.exe
  5884
- sfc.exe /scanfile=C:\Windows\System32\winlogon.exe
  5976
- sfc.exe /scanfile=C:\Windows\SysWOW64\winver.exe
  6096
- sfc.exe /scanfile=C:\Windows\System32\winver.exe
  5228
- sfc.exe /scanfile=C:\Windows\SysWOW64\slui.exe
  5288
- sfc.exe /scanfile=C:\Windows\System32\slui.exe
  5500
- sfc.exe /scannow
  5748

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (36 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 7, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2024, 11:22 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 7, 2024, 11:28 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: Version: Windows 7 Professional N (x64) console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: Build: 7601.win7sp1_rtm.101119-1850 console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: ** This application will reboot the system automatically once complete. console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: ** Do not close this application or shutdown your system. console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: Correcting the hosts file... console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:28 a.m.	buffer: Correcting file permissions... console_handle: 0x00000013	1	1
WriteConsoleA Dec. 7, 2024, 11:29 a.m.	buffer: Correcting modified files... console_handle: 0x00000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2024, 11:28 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PICKLE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 7, 2024, 11:28 a.m.	stacktrace: Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x7597c6d7 0x1ff11b1 0x1fece16 RuntimeGetStdErr+0x35a DaemonizeApp-0xc6 wat fix+0xd322a @ 0x4d322a enableMenuItems+0x1be StringLeft-0x712 wat fix+0x2e13e @ 0x42e13e enableMenuItems+0x22b StringLeft-0x6a5 wat fix+0x2e1ab @ 0x42e1ab RuntimeRun+0x35 RuntimeNilObject-0x6b wat fix+0x2d445 @ 0x42d445 0x1fc1009 0x1fc0319 0x1fc0024 serialClearBreak+0x1c03 RuntimeSetApplicationPath-0x32d wat fix+0x2cc03 @ 0x42cc03 enableMenuItems+0xe5 StringLeft-0x7eb wat fix+0x2e065 @ 0x42e065 VariantToObject+0x775a wat fix+0xf283a @ 0x4f283a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08 exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d exception.instruction: mov dword ptr [ecx], edx exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 410461 exception.address: 0x76f7435d registers.esp: 1632032 registers.edi: 0 registers.eax: 0 registers.ebp: 1632076 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 7, 2024, 11:28 a.m.

stacktrace:

Wow64DisableWow64FsRedirection+0x10 Wow64RevertWow64FsRedirection-0x1a kernelbase+0xc6d7 @ 0x7597c6d7
0x1ff11b1
0x1fece16
RuntimeGetStdErr+0x35a DaemonizeApp-0xc6 wat fix+0xd322a @ 0x4d322a
enableMenuItems+0x1be StringLeft-0x712 wat fix+0x2e13e @ 0x42e13e
enableMenuItems+0x22b StringLeft-0x6a5 wat fix+0x2e1ab @ 0x42e1ab
RuntimeRun+0x35 RuntimeNilObject-0x6b wat fix+0x2d445 @ 0x42d445
0x1fc1009
0x1fc0319
0x1fc0024
serialClearBreak+0x1c03 RuntimeSetApplicationPath-0x32d wat fix+0x2cc03 @ 0x42cc03
enableMenuItems+0xe5 StringLeft-0x7eb wat fix+0x2e065 @ 0x42e065
VariantToObject+0x775a wat fix+0xf283a @ 0x4f283a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 89 11 c7 45 fc fe ff ff ff e8 8e 9b fc ff c2 08
exception.symbol: RtlWow64EnableFsRedirectionEx+0x43 RtlTryAcquirePebLock-0x2f7 ntdll+0x6435d
exception.instruction: mov dword ptr [ecx], edx
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 410461
exception.address: 0x76f7435d
registers.esp: 1632032
registers.edi: 0
registers.eax: 0
registers.ebp: 1632076
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 7, 2024, 11:28 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2024, 11:28 a.m.	process_identifier: 2552 region_size: 258048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2024, 11:21 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\undo.bat

Creates a suspicious process (50 out of 118 events)

cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.ngmvy"
cmdline	cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.ngmvy"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.ngmvy"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.ngmvy"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.ngmvy"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.ngmvy"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.ngmvy"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.ngmvy"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\system32\slmgr.vbs -rilc 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.ngmvy"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.ngmvy"
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.ngmvy"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
cmdline	cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
cmdline	bcdedit.exe -set testsigning off
cmdline	cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "hale.exe")
wmi	SELECT Version FROM SoftwareLicensingService

A process created a hidden window (22 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5904 thread_handle: 0x000001e4 process_identifier: 5900 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\slmgr.vbs filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5984 thread_handle: 0x000001e4 process_identifier: 5980 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\slmgr.vbs filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 6084 thread_handle: 0x000001e4 process_identifier: 6080 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\user32.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5152 thread_handle: 0x000001e4 process_identifier: 5156 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\user32.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5260 thread_handle: 0x000001e4 process_identifier: 5256 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\slwga.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5288 thread_handle: 0x000001e4 process_identifier: 5324 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\slwga.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5488 thread_handle: 0x000001e4 process_identifier: 5492 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\sppcomapi.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5620 thread_handle: 0x000001e4 process_identifier: 5624 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\sppcomapi.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5680 thread_handle: 0x000001e4 process_identifier: 5688 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\sppcommdlg.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5860 thread_handle: 0x000001e4 process_identifier: 5892 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\sppcommdlg.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5936 thread_handle: 0x000001e4 process_identifier: 5952 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\sppuinotify.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 6032 thread_handle: 0x000001e4 process_identifier: 6024 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\sppuinotify.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5180 thread_handle: 0x000001e4 process_identifier: 5168 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\sppwmi.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:29 a.m.	thread_identifier: 5356 thread_handle: 0x000001e4 process_identifier: 5340 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\sppwmi.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5524 thread_handle: 0x000001e4 process_identifier: 5436 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\systemcpl.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5652 thread_handle: 0x000001e4 process_identifier: 5656 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\systemcpl.dll filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5832 thread_handle: 0x000001e4 process_identifier: 5884 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\winlogon.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5928 thread_handle: 0x000001e4 process_identifier: 5976 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\winlogon.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5984 thread_handle: 0x000001e4 process_identifier: 6096 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\winver.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5368 thread_handle: 0x000001e4 process_identifier: 5228 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\winver.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5444 thread_handle: 0x000001e4 process_identifier: 5288 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\SysWOW64\slui.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1
CreateProcessInternalW Dec. 7, 2024, 11:30 a.m.	thread_identifier: 5596 thread_handle: 0x000001e4 process_identifier: 5500 current_directory: filepath: C:\Windows\System32\sfc.exe track: 1 command_line: /scanfile=C:\Windows\System32\slui.exe filepath_r: C:\Windows\System32\sfc.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000150	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 7, 2024, 11:28 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044e00', u'virtual_address': u'0x0013e000', u'entropy': 7.99850939236506, u'name': u'UPX1', u'virtual_size': u'0x00045000'}

entropy

7.99850939237

description

A section with a high entropy has been found

entropy

0.912251655629

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (30 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 7, 2024, 11:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:21 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2024, 11:22 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (43 events)

cmdline	reg delete HKLM\SOFTWARE\HAL7600 /f
cmdline	sc config sppsvc start= delayed-auto
cmdline	cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin64 2>NUL>NUL"
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
cmdline	attrib -r -a -s -h C:\Windows\system32\hale.exe
cmdline	cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	sc config sppuinotify start= demand
cmdline	cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Chew7 /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
cmdline	sc stop uodin64
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
cmdline	reg delete HKLM\SOFTWARE\Chew7 /f
cmdline	cmd.exe /A /C "taskkill /im hale.exe /f 2>NUL>NUL"
cmdline	taskkill /im hale.exe /f
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc delete uodin86 2>NUL>NUL"
cmdline	schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
cmdline	sc delete uodin86
cmdline	net stop sppsvc
cmdline	cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
cmdline	reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
cmdline	cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
cmdline	cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f 2>NUL>NUL"
cmdline	net stop sppuinotify
cmdline	cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
cmdline	net start sppsvc
cmdline	cmd.exe /A /C "sc stop uodin86 2>NUL>NUL"
cmdline	cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
cmdline	cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
cmdline	schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
cmdline	cmd.exe /A /C "attrib -r -a -s -h %SystemRoot%\system32\hale.exe 2>NUL>NUL"
cmdline	sc stop uodin86
cmdline	net start sppuinotify
cmdline	cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc stop uodin64 2>NUL>NUL"
cmdline	NET START "Windows Modules Installer"
cmdline	cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
cmdline	cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
cmdline	cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
cmdline	sc delete uodin64

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Dec. 7, 2024, 11:21 a.m.	service_handle: 0x000000000032f130 service_name: None control_code: 1	1	1	0
ControlService Dec. 7, 2024, 11:22 a.m.	service_handle: 0x000000000027f190 service_name: None control_code: 1	1	1	0

Modifies boot configuration settings (2 events)

command	cmd.exe /a /c "bcdedit.exe -set testsigning off 2>nul>nul"
command	bcdedit.exe -set testsigning off

Uses suspicious command line tools or Windows utilities (50 out of 62 events)

cmdline	icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin64.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\drivers\uodin86.sys /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
cmdline	icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
cmdline	icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
cmdline	icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
cmdline	cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Hacktool.Win32.KMSAuto.3!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Hacktool.Winactivator
Skyhigh	Generic.ys
ALYac	Application.Agent.QN
Cylance	Unsafe
VIPRE	Application.Agent.QN
Sangfor	Hacktool.Win32.Winactivator.Vsd5
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Application.Agent.QN
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.7fd543
Arcabit	Application.Agent.QN
Symantec	SMG.Heur!gen
tehtris	Generic.Malware
ESET-NOD32	Win32/HackTool.WinActivator.R potentially unsafe
McAfee	Generic.ys
Avast	FileRepPup [PUP]
Kaspersky	HackTool.Win32.KMSAuto.ad
SUPERAntiSpyware	Hack.Tool/Gen-KMSAuto
MicroWorld-eScan	Application.Agent.QN
Rising	Dropper.Dunik!8.83F (CLOUD)
Emsisoft	Application.Agent.QN (B)
F-Secure	PrivacyRisk.SPR/WatFix.70288
DrWeb	Program.Activator.2
McAfeeD	ti!D2BEF451A444
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.0a1023d7fd543f6b
Sophos	Generic Reputation PUA (PUA)
Ikarus	HackTool.Win32.WinActivator
Jiangmin	Trojan.Generic.lyzl
Webroot	W32.Dropper.Gen
Google	Detected
Avira	SPR/WatFix.70288
MAX	malware (ai score=100)
Antiy-AVL	HackTool/Win32.WinActivator
Kingsoft	Win32.HackTool.KMSAuto.ad
Gridinsoft	Hack.Win32.AutoKMS.ns
Microsoft	HackTool:Win32/Winactivator
ViRobot	Tool.WATFix.702881
ZoneAlarm	HackTool.Win32.KMSAuto.ad
GData	Application.Agent.QN
Varist	W32/Dunik.TMYC-7238
AhnLab-V3	Unwanted/Win32.Activation.C1482992
BitDefenderTheta	Gen:NN.ZexaF.36812.QmNfa8VZ1Qoi
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/WLT.B

WAT Fix.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All