popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

https://malware.me/analysis/upload/

Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API Anti_VM persistence FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug BitCoin PNG Format AntiVM icon
  1. Resubmit sample
Category Machine Started Completed
URL s1_win7_x6401 May 20, 2022, 7:28 a.m. May 20, 2022, 7:31 a.m.
URL https://malware.me/analysis/upload/

Name Response Post-Analysis Lookup
fonts.gstatic.com
A 172.217.174.99
CNAME gstaticadssl.l.google.com
142.251.42.131
fonts.googleapis.com
A 172.217.31.138
172.217.161.42
malware.me
A 175.208.134.152
175.208.134.152
maxcdn.bootstrapcdn.com
A 104.18.10.207
A 104.18.11.207
104.18.11.207
code.ionicframework.com
A 104.26.7.173
A 172.67.69.29
A 104.26.6.173
104.26.7.173
IP Address Status Action
104.18.11.207 Active Moloch
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch
172.217.174.99 Active Moloch
172.217.31.138 Active Moloch
172.67.69.29 Active Moloch
175.208.134.152 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 104.18.11.207:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49164 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49172 -> 172.67.69.29:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49175 -> 172.67.69.29:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 172.67.69.29:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49173 -> 104.18.11.207:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49168 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49171 -> 172.217.31.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49179 -> 172.67.69.29:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 175.208.134.152:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49183 -> 172.217.174.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49184 -> 172.217.174.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49174 -> 172.217.31.138:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49186 -> 172.217.174.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.69.29:443 -> 192.168.56.101:49178 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 172.217.174.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49187 -> 172.217.174.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49194 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49193 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49195 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49165
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49167
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49170
104.18.11.207:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 84:54:9b:cf:70:c9:dc:ed:ee:2c:a1:66:d9:e0:a0:1c:44:84:c6:e0
TLSv1
192.168.56.101:49164
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49166
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49173
104.18.11.207:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 84:54:9b:cf:70:c9:dc:ed:ee:2c:a1:66:d9:e0:a0:1c:44:84:c6:e0
TLSv1
192.168.56.101:49168
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49171
172.217.31.138:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=upload.video.google.com 9d:91:e5:e1:fd:65:85:55:3c:84:3d:69:af:0a:bb:53:09:e3:cf:76
TLSv1
192.168.56.101:49169
175.208.134.152:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=malware.me f6:c7:bd:58:f0:b0:3c:06:54:51:23:58:3a:8d:44:6c:bb:10:33:33
TLSv1
192.168.56.101:49183
172.217.174.99:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 46:50:7c:8c:68:c2:d3:c9:20:01:55:c1:df:91:f7:25:23:d3:5b:b1
TLSv1
192.168.56.101:49174
172.217.31.138:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=upload.video.google.com 9d:91:e5:e1:fd:65:85:55:3c:84:3d:69:af:0a:bb:53:09:e3:cf:76
TLSv1
192.168.56.101:49184
172.217.174.99:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 46:50:7c:8c:68:c2:d3:c9:20:01:55:c1:df:91:f7:25:23:d3:5b:b1
TLSv1
192.168.56.101:49186
172.217.174.99:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 46:50:7c:8c:68:c2:d3:c9:20:01:55:c1:df:91:f7:25:23:d3:5b:b1
TLSv1
192.168.56.101:49185
172.217.174.99:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 46:50:7c:8c:68:c2:d3:c9:20:01:55:c1:df:91:f7:25:23:d3:5b:b1
TLSv1
192.168.56.101:49187
172.217.174.99:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 46:50:7c:8c:68:c2:d3:c9:20:01:55:c1:df:91:f7:25:23:d3:5b:b1

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 109502640
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 109508592
registers.r11: 109504400
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1910488188
registers.r13: 0
1 0 0
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET https://malware.me/analysis/upload/
request GET https://malware.me/static/css/main.css
request GET https://malware.me/static/plugins/fontawesome-free/css/all.min.css
request GET https://malware.me/static/js/handlebars-templates.js
request GET https://malware.me/static/dist/css/adminlte.min.css
request GET https://malware.me/static/js/vendor.js
request GET https://malware.me/static/js/hexdump.js
request GET https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css
request GET https://malware.me/static/js/cuckoo/sticky.js
request GET https://malware.me/static/js/cuckoo/loader.js
request GET https://malware.me/static/js/cuckoo/analysis_sidebar.js
request GET https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700
request GET https://malware.me/static/js/cuckoo/recent.js
request GET https://malware.me/static/js/cuckoo/analysis_network.js
request GET https://malware.me/static/js/cuckoo/rdp.js
request GET https://malware.me/static/plugins/pace-progress/themes/black/pace-theme-flat-top.css
request GET https://malware.me/img/profile/logo.png
request GET https://malware.me/static/custom/css/screen_variablilty.css
request GET https://malware.me/static/js/cuckoo/submission.js
request GET https://malware.me/static/js/cuckoo/analysis_feedback.js
request GET https://malware.me/static/js/cuckoo/process_tree.js
request GET https://malware.me/static/js/cuckoo/app.js
request GET https://malware.me/static/plugins/toastr/toastr.min.css
request GET https://malware.me/static/custom/js/jquery-1.11.0.min.js
request GET https://malware.me/static/custom/js/jquery-ui.min.js
request GET https://malware.me/static/lightslider/lightslider.js
request GET https://malware.me/static/lightslider/lightgallery-all.min.js
request GET https://malware.me/static/custom/js/datepicker-ko.js
request GET https://malware.me/static/plugins/bootstrap/js/bootstrap.bundle.min.js
request GET https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/fonts/fontawesome-webfont.eot?
request GET https://malware.me/static/dist/js/adminlte.js
request GET https://malware.me/static/plugins/pace-progress/pace.min.js
request GET https://malware.me/static/plugins/toastr/toastr.min.js
request GET https://malware.me/static/fonts/Roboto_normal_300_default.woff
request GET https://malware.me/static/fonts/Roboto_normal_400_default.woff
request GET https://malware.me/static/fonts/Roboto_normal_500_default.woff
request GET https://fonts.gstatic.com/s/sourcesanspro/v21/6xK1dSBYKcSV-LCoeQqfX1RYOo3qPZ7nsDQ.woff
request GET https://fonts.gstatic.com/s/sourcesanspro/v21/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdo.woff
request GET https://fonts.gstatic.com/s/sourcesanspro/v21/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7j.woff
request GET https://malware.me/static/fonts/Roboto_normal_700_default.woff
request GET https://malware.me/static/fonts/Roboto_italic_400_default.woff
request GET https://malware.me/static/fonts/fontawesome-webfont.eot?
request GET https://malware.me/static/fonts/fa-solid-900.eot?
request GET https://malware.me/static/fonts/fa-regular-400.eot?
request GET https://malware.me/static/plugins/fontawesome-free/webfonts/fa-regular-400.eot?
request GET https://malware.me/static/plugins/fontawesome-free/webfonts/fa-solid-900.eot?
request GET https://malware.me/static/fonts/fa-light-300.eot?
request GET https://malware.me/favicon.ico
request GET https://malware.me/static/fonts/fa-brands-400.eot?
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 1314816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002cc0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002e00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007737d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773a2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077384000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773a2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc575000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc575000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff6f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdf81000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000031a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007391c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000074943000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 15798272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003310000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007737d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773a2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077384000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000773a2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc575000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc575000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff6f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdf81000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076f96000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000774a6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076f91000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077370000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007736a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007747f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007748b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff2e7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff694000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff691000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process iexplore.exe with pid 2940 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 109502640
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 109508592
registers.r11: 109504400
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1910488188
registers.r13: 0
1 0 0
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\datepicker-ko[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\sticky[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\rdp[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\analysis_feedback[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\analysis_sidebar[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\vendor[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-ui.min[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adminlte[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\pace.min[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\analysis_network[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\recent[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\submission[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\hexdump[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\app[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\lightslider[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\lightgallery-all.min[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\process_tree[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.11.0.min[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\handlebars-templates[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\loader[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\toastr.min[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\bootstrap.bundle.min[1].js
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000007fffff60000
process_handle: 0xffffffffffffffff
1 0 0
url https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url http://uk.ask.com/favicon.ico
url https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url http://www.cnet.com/favicon.ico
url http://crl
url https://castbox.shopping.naver.com/js/lazyload.js
url https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url http://search.hanafos.com/favicon.ico
url https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url http://search.livedoor.com/favicon.ico
url https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url https://s.pstatic.net/shopping.phinf/20211025_16/fb4391ad-80a4-4058-a54e-c294a35d0275.jpg?type=f214_292
url http://blogimgs.naver.com/nblog/skins/happybean/bg-head.gif
url http://www.amazon.co.jp/
url http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url http://yellowpages.superpages.com/
url https://www.naver.com
url https://s.pstatic.net/shopping.phinf/20211028_9/adf7905c-28ea-4ddf-93b2-aa96dad57752.jpg
url https://s.pstatic.net/shopping.phinf/20200806_26/3cad46ab-3fa4-4756-9e01-d61372890bd0.jpg
url https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2Fmobile_212629657646c.jpg%22
url https://my.sendinblue.com/public/theme/version4/assets/images/loader_sblue.gif
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_163546934024588ZQX.jpg%22
url https://ssl.pstatic.net/static/pwe/nm/sp_mail_setup_140716.png
url http://search.sify.com/
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/410.png
url http://search.msn.com/results.aspx?q=
url https://s.pstatic.net/shopping.phinf/20200731_21/4628ed28-27dc-4586-871c-f7f22524da89.jpg?type=f214_292
url https://s.pstatic.net/imgshopping/static/sb/js/sb/nclktagS01_v1.js?v=2020080314
url https://ssl.pstatic.net/tveta/libs/1299/1299024/c033376e145702a0a471_20200806171156016.jpg
url https://fonts.googleapis.com/css?family=Open
url http://isrg.trustid.ocsp.identrust.com0
url http://si.wikipedia.org/w/api.php?action=opensearch
url http://www.signatur.rtr.at/de/directory/cps.html0
url http://search.ebay.fr/
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/921.png
url https://file-examples.com/wp-content/themes/file-examples/vendor/font-awesome/fonts/fontawesome-webfont.eot?
url http://www.certplus.com/CRL/class3TS.crl0
url https://s.pstatic.net/shopping.phinf/20200603_16/34b72b79-bb6a-40b2-b35d-ae82e0ee5115.jpg
url http://it.wikipedia.org/favicon.ico
url http://uk.ask.com/
url https://fonts.gstatic.com/s/muli/v22/7Aulp_0qiz-aVz7u3PJLcUMYOFnOkEk30e4.woff
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211027_1095%2Fupload_1635293110459bqWPi.jpg%22
url https://s.pstatic.net/static/www/img/uit/2020/sp_shop.4e0461.png
url http://blogimgs.naver.com/blog20/blog/layout_photo/viewer2/btn_right.gif
url http://www.google.cz/
url http://search.ebay.co.uk/
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Steal credential rule local_credential_Steal
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Match Windows Inet API call rule Str_Win32_Internet_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Virtual currency rule Virtual_currency_Zero
description Run a KeyLogger rule KeyLogger
description Possibly employs anti-virtualization techniques rule vmdetect
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:145409
host 117.18.232.200
Process injection Process 2940 resumed a thread in remote process 3028
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000000000033c
suspend_count: 1
process_identifier: 3028
1 0 0