popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Setup2.exe

Emotet Generic Malware VMProtect GIF Format PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 2, 2021, 5:55 p.m. June 2, 2021, 6:14 p.m.
Size 1.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e9d57ca7c57fdeed2e24074ce20e3310
SHA256 8a8e829a41ad71bcb19050aa71bf0aa81f070efb4284d7896ce49cfeeaab7d06
CRC32 071B1023
ssdeep 49152:pAI+I6dMrH1evkpus/CuTyXAz/PUudE1CY:pAI+pdc4vguUTyXs8d1r
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
email.yg9.me
A 198.13.62.186
198.13.62.186
email.yg9.me 198.13.62.186
ol.gamegame.info
A 172.67.200.215
A 104.21.21.221
172.67.200.215
ip-api.com
A 208.95.112.1
208.95.112.1
iw.gamegame.info
A 104.21.21.221
A 172.67.200.215
172.67.200.215
IP Address Status Action
104.21.21.221 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
172.67.200.215 Active Moloch
198.13.62.186 Active Moloch
208.95.112.1 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:61460 -> 198.13.62.186:53 2014702 ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set Potential Corporate Privacy Violation
TCP 192.168.56.102:49817 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49817 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49817 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49817 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49817 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file c:\program files (x86)\Google\Chrome\application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
md8_8eus+0xbc3dc @ 0x4bc3dc
md8_8eus+0x776a8 @ 0x4776a8
md8_8eus+0x82a20 @ 0x482a20
md8_8eus+0x1270 @ 0x401270
md8_8eus+0xa9d62 @ 0x4a9d62
md8_8eus+0x90944 @ 0x490944
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 30 8b ce ff 15 a8 93 4d 00 8d 4b 04 ff d6 e9
exception.symbol: md8_8eus+0xbc1e1
exception.instruction: mov esi, dword ptr [eax]
exception.module: md8_8eus.exe
exception.exception_code: 0xc0000005
exception.offset: 770529
exception.address: 0x4bc1e1
registers.esp: 1638064
registers.edi: 1638187
registers.eax: 0
registers.ebp: 1638100
registers.edx: 6818720
registers.ebx: 5309116
registers.esi: 0
registers.ecx: 1638187
1 0 0
suspicious_features POST method with no referer header suspicious_request POST http://iw.gamegame.info/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST http://ol.gamegame.info/report7.4.php
request GET http://ip-api.com/json/?fields=8198
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5192
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5192
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5192
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00430000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e80000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72da4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e01000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4836
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4836
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4836
region_size: 376832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01eb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4836
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13289893888
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
domain ip-api.com
file C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file C:\Program Files (x86)\Company\NewProduct\file4.exe
file C:\Users\test22\AppData\Local\Temp\install.dll
file C:\Program Files (x86)\Company\NewProduct\lij.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Program Files (x86)\Company\NewProduct\file4.exe
file C:\Program Files (x86)\Company\NewProduct\lij.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\install.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\file4.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\file4.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\lij.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\lij.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000120
process_name: mobsync.exe
process_identifier: 3400
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 9028
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: taskhost.exe
process_identifier: 7896
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: slui.exe
process_identifier: 2504
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: dllhost.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 4836
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
process rundll32.exe
host 172.217.25.14
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqž `¥X´²œ%qÍ 66 !6ÛI×p‚ñ⁗ÖE¯ËåÜ©ð"+  €„¤àF 3 ƒËN‚‰ „  ÊD†š•LZ`` ‚Ž ¸Fû @Aåæà!@‚ƒ†¤èNðö ðÀMx805Nv ”š”ðíFDÆÌ;G/îççÿçõtL) Ǝø%ÆS'çÔ–VÁ…J L€€CN­íÁ1àÖ:úÁÚÁ:¾… ÉÇÀúøú:NãíDPšÇÏÕÏÝ ÜǺ<ÜÿuÞˌŽÒåÃsޜT“RÀ”T€û{¦hÇ\ÚäÿoeeXËoì(ÀŸ…ò3úÉEvóóášÁ„]ItkÀÀÚÀèèíñHŀ{29yDBú“L#€ƒÄìÁƒÌç)âå ÍíÎh¥„_˜ À襮ä±U䨤*"âæ¹Xá4óˆÁ ú²l/ NHZ\Ãɬ¦âáôàûSkÀòñê àé)Ãë+ÀöïŒé,ÀÃ.åñûCu8(xÅáì¤hÎóè3öÁÌE‹ ,œÀ7c˨HÙp«‰»»#A*µêïséA¬€/A#Z“Œ ˆìp€HÃÆMH{#Ý%”aŒèu†ËYþàiôyè !Áé¦Æmèx}ãæñ=Éô/Ùè‹cŸx‰ŒT°ê9Øã·ÇüöÚóÖSçácÅå6áá“i6ê>®ÇV¢èÍE´d°äôðJJ‰úä }¹¼@@€hµ/r&ê­iÈÃR <yŽçˆê¼ô@±ôELwvH‰Õx,@ÁåH$XÁýP<PÁ©\Xav((hh­ˆêÃ)-ô‘ĈR©ê´aKØPՖᲞíb1s­*„KàëXщC Åö#Áo;0`8µøwdn"+À&öØ+óÛCàǯž§‰ÐáÈÁÎÿP5§:TŽ%!=+Ë +Æ'!D'}bw@Ëmît´‰ÃçH9a,ÇÿPdÃ÷<dlÁ € ŠˆKÁ‹H‹D Ëe!@!`ÇD2 åWpE†51ÇGæbB_ ! '„ÛÌÄÃ×x0)ypa!Ãv¶þ”Ëš’ÃrČ¥ó¶ƒÂuy·"¸!IØD'‚ë“™LA€ˆÑ.…æGiEH<šŠ„ 9xß^:¦ˆKI9™ˆIÃkô`P2¿L£&!ÃÂy oêš 6­–Àې†“„‘ ³˜~úŒ³;œVù°àó÷ó(ýÄó«z3@p0ŠÀKPÓI5êaö¢$€;:1º t¶øÊñy‡êä`²ÂùÄW~çïü´±¬³ùü9 1øÈ0Fj ,—Ä_¨PŸi ‘„µ³xyà‚¨ÂO‡ ‰4փsbR‚э•éå t¼Y—G¿êʝÃóE·êÀF“PEDB+y]\±çI·Ãž+‘ !ÞäQj¨98#®MÊ{¸ÃaZ£elñ"ŠÆDµs»¯•ŠgXÌÿ…s‚8ÇÈK ›µ!PutËՙ/£ˆÃLJÛ0ÈÄÐ\¬o0o=GSm0Ã߇»—ëöó<”¥+hS,µÊ$ûënŒÍ÷v€Àkψx£ŒUh)_!¾ˆ8éꄁEµg–MߤHHDpXÅÉ`DPt` |Áˆ1?/v`Á˜5ÇDŸgokg†ž<G‰^2Ìã/h|Á ¶uâE¯zš³@3;pµÂàâÂĤì꧴rf³µtRòÒ^®ø™G¶u[xtX@ÅÒ?gsP†Ÿ@G)_@öæ›ÈI² º‹½uÀ€‹GOÈI@È ápJRTØ[ÃįÈþUƒ‘Y˜ôóŒ+4o|\•Ëv°QCď§û„‰Ä¯êãeCÛH@j[3ÁÇT@#/ÌC€ÌA¶,Q\¨EáõãJ)s÷ç#Áâ±þ|³ÒሪАê؂BÛ~ôK­ù\/$Oh(ÀãðjusF‚¾â­v™\’pPS+ÈókH{Žd¢#Rgêê ¢²Ôt$6ò+º¡âz^7[ôû´îççUÍ×.qr`Òòn TLë±rOíAfË+€ŽY"$H؊)Kj‘ÞWWoo}µ–¡@ˉæÌ2Ë ÙAÅÁhrÓ~ê üô‘Eè'‹Õ|§»ýà#u71F¢é%(F'-µ ë a1ôïõÉ~³YÊC+‡„JkI¨…QƆ»?„pSƒ´ùê°EE¤¢¹» LDŸ·!AHþ„ûû¿ÔG” ˜û»K7ŒŒ€ƒ@NjܕÀâsQÀúCwÆñ³àŒ˜¥Ÿ-ó‰Âz¸‰£c‹{¼ÇiªÃbi Ž>8‹¹-MÍzð‹€AA‰Êkkž/rA¶¯ÀÒSEM‰òkUÈõt́ªìBGù»±¦T´†Ÿ™.9ÃÎE0|Ç@ĸúe(EÎMŽÁÍ`ø‰Â_œÅ vô÷ñ,÷Æ23³÷Õý“ªg"`œxòÑÎ…‹u`ZÁ—õáBÈ @#tèvñ•4 xD,Ü®Vi4EzB¨ÔL(^N…˜¤¦¢ÚÜIÄ·ÌHPò¸~tE"1÷mH¡}ðY¨8!TÿÛÍlÀiM <n>à‹É­b¹êGðóKéà OÁ1+€Ãšº¶æ“ÿ$sè’îS<$IîÞ¶+šºŒ À‡8Ø´6ó*ãÅÌeõ”ÍÍpyÏÜWÂZ8ã WF$=€JÁÅh,ğ””…™ÐHÁ™P؁"…&êǘ M`¥í(¸¹A"{Iµ¤T´Å²¸;‹‚ ¶\\By(€{ò‰HÐp4K¹ó0J;ŠæƒàEE2ߥÃJ…Ì$®&FöL½pL˓Љ»ðøµsþ‹àU2€zùuU$7ó+î´µÅú+ÖɍÏ-aŠØC8mv×Æ)O4x<«@¢_eX,l$bDoê…û³{QÊK…%
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Bkav W32.AIDetect.malware2
MicroWorld-eScan Gen:Variant.Zusy.380087
FireEye Generic.mg.e9d57ca7c57fdeed
CAT-QuickHeal Trojandownloader.Badoffer
McAfee Artemis!E9D57CA7C57F
Cylance Unsafe
SUPERAntiSpyware Trojan.Agent/Gen-Dropper
K7AntiVirus Trojan ( 0057cfac1 )
Alibaba TrojanDownloader:Win32/BadOffer.da9e11fd
K7GW Trojan ( 0057cfac1 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Zusy.D5CCB7
BitDefenderTheta Gen:NN.ZexaF.34692.ku0@aqwOMkki
Cyren W32/Trojan.THRM-0029
Symantec ML.Attribute.HighConfidence
ESET-NOD32 multiple detections
TrendMicro-HouseCall TROJ_GEN.R002H0CET21
Avast Win32:MalOb-FE [Cryp]
Kaspersky HEUR:Trojan-Downloader.Win32.BadOffer.gen
BitDefender Gen:Variant.Zusy.380087
NANO-Antivirus Virus.Win32.Gen-Crypt.ccnc
Paloalto generic.ml
ViRobot Trojan.Win32.Z.Zusy.1621260
APEX Malicious
Rising Stealer.Agent!8.C2 (CLOUD)
Sophos Generic ML PUA (PUA)
DrWeb Trojan.MulDrop16.31196
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Dropper.tc
Emsisoft Gen:Variant.Zusy.380087 (B)
Ikarus Trojan-Spy.Win32.QuStealer
Avira TR/AD.PredatorThief.bzuzm
Gridinsoft Trojan.Win32.CoinMiner.vb!s8
Microsoft Trojan:Win32/Skeeyah.B!rfn
AegisLab Trojan.Win32.BadOffer.a!c
ZoneAlarm HEUR:Trojan-Downloader.Win32.BadOffer.gen
GData Win32.Trojan-Stealer.Predator.Q83PL1
Cynet Malicious (score: 99)
MAX malware (ai score=100)
Tencent Win32.Trojan-downloader.Badoffer.Anpl
Yandex Trojan.Blocker!OH3Aj8L7MuI
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/multiple_detections
MaxSecure Trojan-Ransom.Win32.Crypmod.zfq
AVG Win32:MalOb-FE [Cryp]
Panda Trj/CI.A