popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Setup2.exe

Emotet AsyncRAT Generic Malware VMProtect GIF Format .NET DLL PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 8, 2021, 12:19 p.m. June 8, 2021, 12:26 p.m.
Size 2.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 623c88cc55a2df1115600910bbe14457
SHA256 47bb97567ec946832d0bf77a9f2c4300032d4d7b2293f64fcd25d9b83e7c1178
CRC32 2B1A4391
ssdeep 49152:pAI+kzdauN9Z8SIZf3YgMcUZyU6fL/6vwTyMWaCMPfvyi:pAI+cdauN9sZf3YgRUQTIwTyMWaJfvyi
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49204 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49211 -> 157.240.215.35:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49218 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49221 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49218 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49218 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49218 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49211
157.240.215.35:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com 64:6a:5b:69:8b:12:93:b5:d8:b2:20:d5:3f:4e:74:04:ca:ba:95:5e
TLSv1
192.168.56.101:49221
88.99.66.31:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.iplogger.org 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file c:\program files (x86)\Google\Chrome\application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
md8_8eus+0xbc3dc @ 0x4bc3dc
md8_8eus+0x776a8 @ 0x4776a8
md8_8eus+0x82a20 @ 0x482a20
md8_8eus+0x1270 @ 0x401270
md8_8eus+0xa9d62 @ 0x4a9d62
md8_8eus+0x90944 @ 0x490944
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 30 8b ce ff 15 a8 93 4d 00 8d 4b 04 ff d6 e9
exception.symbol: md8_8eus+0xbc1e1
exception.instruction: mov esi, dword ptr [eax]
exception.module: md8_8eus.exe
exception.exception_code: 0xc0000005
exception.offset: 770529
exception.address: 0x4bc1e1
registers.esp: 1638064
registers.edi: 1638187
registers.eax: 0
registers.ebp: 1638100
registers.edx: 2755488
registers.ebx: 5309116
registers.esi: 0
registers.ecx: 1638187
1 0 0
suspicious_features POST method with no referer header suspicious_request POST http://iw.gamegame.info/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST http://uyg5wye.2ihsfa.com/api/?sid=244033&key=14a21546c007e98b00ef413b26924f80
suspicious_features POST method with no referer header suspicious_request POST http://ol.gamegame.info/report7.4.php
request GET http://ip-api.com/json/
request GET http://ip-api.com/json/?fields=8198
request POST http://iw.gamegame.info/report7.4.php
request GET http://uyg5wye.2ihsfa.com/api/fbtime
request POST http://uyg5wye.2ihsfa.com/api/?sid=244033&key=14a21546c007e98b00ef413b26924f80
request POST http://ol.gamegame.info/report7.4.php
request GET https://www.facebook.com/
request GET https://iplogger.org/18hh57
request POST http://iw.gamegame.info/report7.4.php
request POST http://uyg5wye.2ihsfa.com/api/?sid=244033&key=14a21546c007e98b00ef413b26924f80
request POST http://ol.gamegame.info/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73702000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b60000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72964000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a32000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72af1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cc0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02250000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 376832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ab1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1884
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description explorer.exe tried to sleep 130 seconds, actually delayed analysis time by 130 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13719707648
free_bytes_available: 13719707648
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
domain ip-api.com
file C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file C:\Program Files (x86)\Company\NewProduct\file4.exe
file C:\Users\test22\AppData\Local\Temp\install.dll
file C:\Program Files (x86)\Company\NewProduct\jooyu.exe
file C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Program Files (x86)\Company\NewProduct\file4.exe
file C:\Program Files (x86)\Company\NewProduct\jooyu.exe
file C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file C:\Users\test22\AppData\Local\Temp\install.dll
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\file4.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\file4.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\jooyu.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\jooyu.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x00000120
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: mobsync.exe
process_identifier: 2060
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 2684
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: taskhost.exe
process_identifier: 2944
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: jooyu.exe
process_identifier: 2256
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 1884
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
process rundll32.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqž `¥X´²œ%qÍ 66 !6ÛI×p‚ñ⁗ÖE¯ËåÜ©ð"+  €„¤àF 3 ƒËN‚‰ „  ÊD†š•LZ`` ‚Ž ¸Fû @Aåæà!@‚ƒ†¤èNðö ðÀMx805Nv ”š”ðíFDÆÌ;G/îççÿçõtL) Ǝø%ÆS'çÔ–VÁ…J L€€CN­íÁ1àÖ:úÁÚÁ:¾… ÉÇÀúøú:NãíDPšÇÏÕÏÝ ÜǺ<ÜÿuÞˌŽÒåÃsޜT“RÀ”T€û{¦hÇ\ÚäÿoeeXËoì(ÀŸ…ò3úÉEvóóášÁ„]ItkÀÀÚÀèèíñHŀ{29yDBú“L#€ƒÄìÁƒÌç)âå ÍíÎh¥„_˜ À襮ä±U䨤*"âæ¹Xá4óˆÁ ú²l/ NHZ\Ãɬ¦âáôàûSkÀòñê àé)Ãë+ÀöïŒé,ÀÃ.åñûCu8(xÅáì¤hÎóè3öÁÌE‹ ,œÀ7c˨HÙp«‰»»#A*µêïséA¬€/A#Z“Œ ˆìp€HÃÆMH{#Ý%”aŒèu†ËYþàiôyè !Áé¦Æmèx}ãæñ=Éô/Ùè‹cŸx‰ŒT°ê9Øã·ÇüöÚóÖSçácÅå6áá“i6ê>®ÇV¢èÍE´d°äôðJJ‰úä }¹¼@@€hµ/r&ê­iÈÃR <yŽçˆê¼ô@±ôELwvH‰Õx,@ÁåH$XÁýP<PÁ©\Xav((hh­ˆêÃ)-ô‘ĈR©ê´aKØPՖᲞíb1s­*„KàëXщC Åö#Áo;0`8µøwdn"+À&öØ+óÛCàǯž§‰ÐáÈÁÎÿP5§:TŽ%!=+Ë +Æ'!D'}bw@Ëmît´‰ÃçH9a,ÇÿPdÃ÷<dlÁ € ŠˆKÁ‹H‹D Ëe!@!`ÇD2 åWpE†51ÇGæbB_ ! '„ÛÌÄÃ×x0)ypa!Ãv¶þ”Ëš’ÃrČ¥ó¶ƒÂuy·"¸!IØD'‚ë“™LA€ˆÑ.…æGiEH<šŠ„ 9xß^:¦ˆKI9™ˆIÃkô`P2¿L£&!ÃÂy oêš 6­–Àې†“„‘ ³˜~úŒ³;œVù°àó÷ó(ýÄó«z3@p0ŠÀKPÓI5êaö¢$€;:1º t¶øÊñy‡êä`²ÂùÄW~çïü´±¬³ùü9 1øÈ0Fj ,—Ä_¨PŸi ‘„µ³xyà‚¨ÂO‡ ‰4փsbR‚э•éå t¼Y—G¿êʝÃóE·êÀF“PEDB+y]\±çI·Ãž+‘ !ÞäQj¨98#®MÊ{¸ÃaZ£elñ"ŠÆDµs»¯•ŠgXÌÿ…s‚8ÇÈK ›µ!PutËՙ/£ˆÃLJÛ0ÈÄÐ\¬o0o=GSm0Ã߇»—ëöó<”¥+hS,µÊ$ûënŒÍ÷v€Àkψx£ŒUh)_!¾ˆ8éꄁEµg–MߤHHDpXÅÉ`DPt` |Áˆ1?/v`Á˜5ÇDŸgokg†ž<G‰^2Ìã/h|Á ¶uâE¯zš³@3;pµÂàâÂĤì꧴rf³µtRòÒ^®ø™G¶u[xtX@ÅÒ?gsP†Ÿ@G)_@öæ›ÈI² º‹½uÀ€‹GOÈI@È ápJRTØ[ÃįÈþUƒ‘Y˜ôóŒ+4o|\•Ëv°QCď§û„‰Ä¯êãeCÛH@j[3ÁÇT@#/ÌC€ÌA¶,Q\¨EáõãJ)s÷ç#Áâ±þ|³ÒሪАê؂BÛ~ôK­ù\/$Oh(ÀãðjusF‚¾â­v™\’pPS+ÈókH{Žd¢#Rgêê ¢²Ôt$6ò+º¡âz^7[ôû´îççUÍ×.qr`Òòn TLë±rOíAfË+€ŽY"$H؊)Kj‘ÞWWoo}µ–¡@ˉæÌ2Ë ÙAÅÁhrÓ~ê üô‘Eè'‹Õ|§»ýà#u71F¢é%(F'-µ ë a1ôïõÉ~³YÊC+‡„JkI¨…QƆ»?„pSƒ´ùê°EE¤¢¹» LDŸ·!AHþ„ûû¿ÔG” ˜û»K7ŒŒ€ƒ@NjܕÀâsQÀúCwÆñ³àŒ˜¥Ÿ-ó‰Âz¸‰£c‹{¼ÇiªÃbi Ž>8‹¹-MÍzð‹€AA‰Êkkž/rA¶¯ÀÒSEM‰òkUÈõt́ªìBGù»±¦T´†Ÿ™.9ÃÎE0|Ç@ĸúe(EÎMŽÁÍ`ø‰Â_œÅ vô÷ñ,÷Æ23³÷Õý“ªg"`œxòÑÎ…‹u`ZÁ—õáBÈ @#tèvñ•4 xD,Ü®Vi4EzB¨ÔL(^N…˜¤¦¢ÚÜIÄ·ÌHPò¸~tE"1÷mH¡}ðY¨8!TÿÛÍlÀiM <n>à‹É­b¹êGðóKéà OÁ1+€Ãšº¶æ“ÿ$sè’îS<$IîÞ¶+šºŒ À‡8Ø´6ó*ãÅÌeõ”ÍÍpyÏÜWÂZ8ã WF$=€JÁÅh,ğ””…™ÐHÁ™P؁"…&êǘ M`¥í(¸¹A"{Iµ¤T´Å²¸;‹‚ ¶\\By(€{ò‰HÐp4K¹ó0J;ŠæƒàEE2ߥÃJ…Ì$®&FöL½pL˓Љ»ðøµsþ‹àU2€zùuU$7ó+î´µÅú+ÖɍÏ-aŠØC8mv×Æ)O4x<«@¢_eX,l$bDoê…û³{QÊK…%
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Bkav W32.AIDetect.malware1
MicroWorld-eScan Gen:Variant.Zusy.380087
FireEye Generic.mg.623c88cc55a2df11
CAT-QuickHeal Trojandownloader.Badoffer
ALYac Trojan.GenericKD.36976216
Cylance Unsafe
AegisLab Trojan.Win32.BadOffer.a!c
Sangfor Trojan.Win32.BadOffer.gen
CrowdStrike win/malicious_confidence_80% (W)
BitDefender Gen:Variant.Zusy.380087
K7GW Trojan ( 005723511 )
K7AntiVirus Trojan ( 005723511 )
BitDefenderTheta Gen:NN.ZexaF.34722.ku0@aqwOMkki
Cyren W32/Trojan.THRM-0029
Symantec ML.Attribute.HighConfidence
ESET-NOD32 multiple detections
APEX Malicious
Avast Win32:MalOb-FE [Cryp]
Kaspersky HEUR:Trojan-Downloader.Win32.BadOffer.gen
Alibaba TrojanPSW:Win32/CookiesStealer.253a059b
NANO-Antivirus Riskware.Win32.PSWTool.hqsnsl
ViRobot Trojan.Win32.Z.Zusy.2431039
DrWeb Trojan.MulDrop16.31196
Emsisoft Gen:Variant.Zusy.380087 (B)
Ikarus Trojan.Win32.Crypt
GData Win32.Trojan-Stealer.Predator.CI1IGG
MaxSecure Trojan-Ransom.Win32.Crypmod.zfq
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan/Generic.ASMalwS.2FFCE3E
Gridinsoft Trojan.Win32.CoinMiner.vb!s8
SUPERAntiSpyware Trojan.Agent/Gen-Reconyc
ZoneAlarm HEUR:Trojan-Downloader.Win32.BadOffer.gen
Microsoft Trojan:Win32/CookiesStealer.OE!MTB
Cynet Malicious (score: 100)
McAfee Artemis!623C88CC55A2
MAX malware (ai score=86)
Malwarebytes Generic.Trojan.Malicious.DDS
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_GEN.R002H0CF321
Tencent Win32.Trojan-downloader.Badoffer.Wlpk
Yandex Trojan.Blocker!OH3Aj8L7MuI
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_100%
Fortinet W32/multiple_detections
Webroot W32.Trojan.Gen
AVG Win32:MalOb-FE [Cryp]
Cybereason malicious.c55a2d
Paloalto generic.ml