popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

3-1.exe

Generic Malware UPX ASPack Malicious Library Malicious Packer ScreenShot KeyLogger Internet API persistence Socket Escalate priviledges SMTP DNS PWS Dynamic Dns SSL AntiDebug OS Processor Check MZP Format dll PE File AntiVM DllRegisterServer PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 29, 2024, 1:21 p.m. July 29, 2024, 1:24 p.m.
Size 3.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3482f7d0b7c1a3eeca3874bc9a1397ce
SHA256 1dc783558cba423c983d34470ea0ade6ada68fb268833f0d12fab74e48da5e3f
CRC32 708944AA
ssdeep 98304:nnsmtk2aC4uTo0ZxLOlSAl/o0YkIq9VLru:nLz4eDYSAlNG
Yara
  • DllRegisterServer_Zero - execute regsvr32.exe
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • ASPack_Zero - ASPack packed file
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • mzp_file_format - MZP(Delphi) file format
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
www.dropbox.com
A 162.125.80.18
CNAME www-env.dropbox-dns.com
162.125.80.18
docs.google.com
A 142.250.196.238
172.217.25.174
freedns.afraid.org
A 69.42.215.252
69.42.215.252
drive.usercontent.google.com
A 142.250.71.129
142.250.206.193
xred.mooo.com
smtp.163.com
A 103.129.252.45
CNAME smtp163.mail.ntes53.netease.com
103.129.252.45
IP Address Status Action
103.129.252.45 Active Moloch
142.250.196.238 Active Moloch
142.250.71.129 Active Moloch
162.125.80.18 Active Moloch
164.124.101.2 Active Moloch
38.147.172.248 Active Moloch
69.42.215.252 Active Moloch
45.33.6.223 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 103.129.252.45:25 -> 192.168.56.101:49168 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2015633 ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com Misc activity
TCP 192.168.56.101:49188 -> 162.125.80.18:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49187 -> 162.125.80.18:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49185 -> 142.250.196.238:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49186 -> 142.250.71.129:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49185
142.250.196.238:443 		C=US, O=Google Trust Services, CN=WR2 CN=*.google.com 0e:b6:5c:7b:0b:ac:b5:af:1f:df:47:14:61:b7:0d:4c:41:6f:47:53
TLSv1
192.168.56.101:49186
142.250.71.129:443 		C=US, O=Google Trust Services, CN=WR2 CN=*.usercontent.google.com 02:88:52:bb:1a:d8:e4:3d:9f:a8:8f:00:8d:5c:55:f5:c4:ba:59:0d

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x959fc @ 0x4959fc
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 58392028
registers.edi: 58392216
registers.eax: 58392028
registers.ebp: 58392108
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11001
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x95a83 @ 0x495a83
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 58389840
registers.edi: 58390028
registers.eax: 58389840
registers.ebp: 58389920
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11004
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x95b0a @ 0x495b0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 58387652
registers.edi: 58387840
registers.eax: 58387652
registers.ebp: 58387732
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11001
registers.ecx: 7
1 0 0
domain xred.mooo.com
request GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02300000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2736
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2736
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2992
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2992
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2192
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ea0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73562000
process_handle: 0xffffffff
1 0 0
description ._cache_csrss2.exe tried to sleep 189 seconds, actually delayed analysis time by 189 seconds
name RT_ICON language LANG_TURKISH filetype dBase IV DBT of @.DBF, block length 8192, next free block index 40 sublanguage SUBLANG_DEFAULT offset 0x000b39f8 size 0x000010a8
name RT_ICON language LANG_TURKISH filetype dBase IV DBT of @.DBF, block length 8192, next free block index 40 sublanguage SUBLANG_DEFAULT offset 0x000b39f8 size 0x000010a8
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x00370410 size 0x000047d3
name RT_GROUP_ICON language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x00374c70 size 0x00000014
name RT_VERSION language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x00374c84 size 0x00000304
domain docs.google.com
file C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe
file C:\Users\test22\AppData\Roaming\JJ.exe
file C:\Users\test22\AppData\Roaming\._cache_ctfmon.exe
file C:\ProgramData\Synaptics\Synaptics.dll
file C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\csrss2.exe
file C:\Users\test22\AppData\Roaming\TTÖ±²¥£¨ÌÒ×ÓÖ±²¥£©.exe
file C:\Users\test22\AppData\Local\Temp\csrss1.exe
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: Mnopqr Tuvwxyab Defghijk Mnop
filepath: C:\Windows\lulxmm.exe
service_name: Mnopqr
filepath_r: C:\Windows\lulxmm.exe
desired_access: 983551
service_handle: 0x00515c70
error_control: 0
service_type: 272
service_manager_handle: 0x00515d38
1 5332080 0
domain www.dropbox.com
file C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe
file C:\Users\test22\AppData\Roaming\JJ.exe
file C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\14462984\TemporaryFile\TemporaryFile
file C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe
file C:\Users\test22\AppData\Roaming\JJ.exe
file C:\Users\test22\AppData\Local\Temp\csrss2.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000fc
process_name: sdclt.exe
process_identifier: 2388
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: TTÖ±²¥£¨ÌÒ×ÓÖ±²¥£©.exe
process_identifier: 2736
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: JJ.exe
process_identifier: 2784
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Synaptics.exe
process_identifier: 2792
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: csrss1.exe
process_identifier: 2896
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: csrss2.exe
process_identifier: 2992
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: ._cache_csrss2.exe
process_identifier: 3064
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: cmd.exe
process_identifier: 2520
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: conhost.exe
process_identifier: 2528
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: lulxmm.exe
process_identifier: 2544
1 1 0

Process32NextW

 snapshot_handle: 0x00000180
process_name: conhost.exe
process_identifier: 2748
1 1 0

Process32NextW

 snapshot_handle: 0x00000180
process_name: cmd.exe
process_identifier: 2776
1 1 0

Process32NextW

 snapshot_handle: 0x00000180
process_name: conhost.exe
process_identifier: 2832
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2644
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2640
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 1216
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 3048
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: taskhost.exe
process_identifier: 2996
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2112
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 320
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2232
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: svchost.exe
process_identifier: 2248
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: mscorsvw.exe
process_identifier: 2384
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: mscorsvw.exe
process_identifier: 2512
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 828
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 884
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 1576
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 1792
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 1096
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 1892
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 2312
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 2308
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: WmiPrvSE.exe
process_identifier: 1948
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 2708
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x002c5000', u'virtual_address': u'0x000b0000', u'entropy': 7.243930877494249, u'name': u'.rsrc', u'virtual_size': u'0x002c4f88'} entropy 7.24393087749 description A section with a high entropy has been found
entropy 0.806369064544 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000fc
process_name: cswź
process_identifier: 2992
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: 񊀀ﶴɘ㱴直㲣直❑留
process_identifier: 2192
0 0
url https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
url http://freedns.afraid.org/api/?action=getdyndns
url https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
url http://xred.site50.net/syn/SSLLibrary.dll
url https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ
url https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk
url http://xred.site50.net/syn/SUpdate.ini
url https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
url https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk
url http://xred.site50.net/syn/Synaptics.rar
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications smtp rule network_smtp_raw
description Communications over SSL rule Network_SSL
description Communications use DNS rule Network_DNS
description Communications DynDns network rule Network_DynDns
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Run a KeyLogger rule KeyLogger
cmdline netstat -an
cmdline /c netstat -an
receiver [] sender [] server 103.129.252.45
host 38.147.172.248
host 45.33.6.223
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver reg_value C:\ProgramData\Synaptics\Synaptics.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver reg_value C:\ProgramData\Synaptics\Synaptics.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver reg_value C:\ProgramData\Synaptics\Synaptics.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst reg_value C:\Users\test22\AppData\Local\Temp\csrss1.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name reg_value C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
service_name Mnopqr service_path C:\Windows\lulxmm.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver
base_address: 0x004a4000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2192
process_handle: 0x00000178
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 2192
process_handle: 0x00000178
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x03983540
hook_identifier: 2 (WH_KEYBOARD)
module_address: 0x03980000
1 66033 0
process Synaptics.exe useragent MyApp
process Synaptics.exe useragent Synaptics.exe
Process injection Process 3064 called NtSetContextThread to modify thread in remote process 2192
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4828032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000174
process_identifier: 2192
1 0 0
Process injection Process 3064 resumed a thread in remote process 2192
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000174
suspend_count: 1
process_identifier: 2192
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2556
1 0 0

CreateProcessInternalW

 thread_identifier: 2680
thread_handle: 0x00000448
process_identifier: 2676
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_3-1.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000440
1 1 0

CreateProcessInternalW

 thread_identifier: 2796
thread_handle: 0x00000454
process_identifier: 2792
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\ProgramData\Synaptics\Synaptics.exe
track: 1
command_line: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
filepath_r: C:\ProgramData\Synaptics\Synaptics.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000434
1 1 0

CreateProcessInternalW

 thread_identifier: 2740
thread_handle: 0x000002c4
process_identifier: 2736
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\TTÖ±²¥£¨ÌÒ×ÓÖ±²¥£©.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\TTÖ±²¥£¨ÌÒ×ÓÖ±²¥£©.exe"
filepath_r: C:\Users\test22\AppData\Roaming\TTÖ±²¥£¨ÌÒ×ÓÖ±²¥£©.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002cc
1 1 0

CreateProcessInternalW

 thread_identifier: 2788
thread_handle: 0x000001fc
process_identifier: 2784
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\JJ.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\JJ.exe"
filepath_r: C:\Users\test22\AppData\Roaming\JJ.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002d4
1 1 0

CreateProcessInternalW

 thread_identifier: 2900
thread_handle: 0x00000100
process_identifier: 2896
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\csrss1.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000104
1 1 0

CreateProcessInternalW

 thread_identifier: 2996
thread_handle: 0x00000104
process_identifier: 2992
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\csrss2.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000100
1 1 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss3.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss4.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss5.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2792
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2792
1 0 0

CreateProcessInternalW

 thread_identifier: 2076
thread_handle: 0x00000218
process_identifier: 2072
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: /c netstat -an
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000021c
1 1 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2992
1 0 0

CreateProcessInternalW

 thread_identifier: 3068
thread_handle: 0x00000448
process_identifier: 3064
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\._cache_csrss2.exe"
filepath_r: C:\Users\test22\AppData\Roaming\._cache_csrss2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000440
1 1 0

CreateProcessInternalW

 thread_identifier: 2196
thread_handle: 0x00000174
process_identifier: 2192
current_directory:
filepath:
track: 1
command_line: ctfmon.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000178
1 1 0

NtGetContextThread

 thread_handle: 0x00000174
1 0 0

NtUnmapViewOfSection

 base_address: 0x0258fedc
region_size: 1954156544
process_identifier: 2192
process_handle: 0x00000178
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2192
region_size: 905216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000178
1 0 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0049b000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0049e000
process_identifier: 2192
process_handle: 0x00000178
0 0

WriteProcessMemory

 buffer:
base_address: 0x004a0000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a3000
process_identifier: 2192
process_handle: 0x00000178
0 0

WriteProcessMemory

 buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver
base_address: 0x004a4000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a5000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004b0000
process_identifier: 2192
process_handle: 0x00000178
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2192
process_handle: 0x00000178
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4828032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000174
process_identifier: 2192
1 0 0

NtResumeThread

 thread_handle: 0x00000174
suspend_count: 1
process_identifier: 2192
1 0 0

CreateProcessInternalW

 thread_identifier: 1356
thread_handle: 0x00000084
process_identifier: 1264
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Windows\System32\NETSTAT.EXE
track: 1
command_line: netstat -an
filepath_r: C:\Windows\system32\NETSTAT.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2192
1 0 0

CreateProcessInternalW

 thread_identifier: 2416
thread_handle: 0x00000434
process_identifier: 2380
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Users\test22\AppData\Roaming\._cache_ctfmon.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\._cache_ctfmon.exe"
filepath_r: C:\Users\test22\AppData\Roaming\._cache_ctfmon.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000042c
1 1 0

NtResumeThread

 thread_handle: 0x00000130
suspend_count: 1
process_identifier: 2380
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.DarkKomet.tp6k
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal W32.Delf.NB4
Skyhigh BehavesLike.Win32.Synaptics.wc
ALYac Win32.Comet.A
Cylance Unsafe
VIPRE Win32.Comet.A
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 000112511 )
BitDefender Win32.Comet.A
K7GW Trojan ( 000112511 )
Cybereason malicious.0b7c1a
Arcabit HEUR.VBA.Trojan.d
VirIT Trojan.Win32.Dnldr22.OHM
Symantec W32.Zorex
ESET-NOD32 Win32/Delf.NBX
APEX Malicious
McAfee W32/Synaptics
Avast Win32:Evo-gen [Trj]
ClamAV Win.Trojan.Emotet-9850453-0
Kaspersky Backdoor.Win32.DarkKomet.hqxy
Alibaba Backdoor:Win32/DarkKomet.353
NANO-Antivirus Trojan.Win32.DarkKomet.fazbwq
MicroWorld-eScan Win32.Comet.A
Rising Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft Win32.Comet.A (B)
F-Secure Heuristic.HEUR/AGEN.1359402
DrWeb Win32.HLLW.Siggen.10555
Zillya Trojan.Delf.Win32.76144
TrendMicro Virus.Win32.NAPWHICH.B
McAfeeD ti!1DC783558CBA
FireEye Generic.mg.3482f7d0b7c1a3ee
Sophos Troj/AutoG-EB
SentinelOne Static AI - Malicious PE
Jiangmin Win32/Synaptics.Gen
Webroot W32.Malware.gen
Google Detected
Avira TR/Dldr.Agent.SH
MAX malware (ai score=88)
Antiy-AVL Virus/Win32.DarkKomet.a
Kingsoft Win32.Infected.AutoInfector.a
Gridinsoft Trojan.Win32.Downloader.mz!n
Xcitium Virus.Win32.Agent.DE@74b38h
Microsoft Worm:Win32/AutoRun!atmn
ViRobot Win32.Zorex.A
ZoneAlarm Backdoor.Win32.DarkKomet.hqxy
GData Win32.Backdoor.Agent.AXS
Varist W32/Backdoor.OAZM-5661