Summary | ZeroBOX

Category	Machine	Started	Completed
URL	s1_win7_x6401	March 5, 2023, 1:04 a.m.	March 5, 2023, 1:07 a.m.

URL	http://engineeringsolutions.com.au/wp-content/plugins/cach/coment/index.php
File	bae5192883df9498_index[1].htm
Size	2.8KB
Type	HTML document, ASCII text, with very long lines, with no line terminators
MD5	`deab82e9d004d18ea5e4edb807893b97`
SHA256	`bae5192883df949868c99fe9be72cbc1f340716dce6bb22bc1d7381be88860a6`
CRC32	`71A35F71`
ssdeep	`48:0Ec15DT6R/dWwyl4vTG6y/DVYP0n1suwTLHii3Ikj5KxGxhI/c:zsD+R/dPy+C6y/Di0GX9kxGx7`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" http://engineeringsolutions.com.au/wp-content/plugins/cach/coment/index.php
2604
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409
  2688

Name	Response	Post-Analysis Lookup
engineeringsolutions.com.au	A 34.102.136.180	34.102.136.180
img1.wsimg.com	CNAME e40258.g.akamaiedge.net CNAME global-wildcard.wsimg.com.sni-only.edgekey.net A 121.254.136.88 A 121.254.136.96	23.43.165.163
www.google.com	A 142.250.204.132	142.250.76.132

IP Address	Status	Action
117.18.232.200	Active	Moloch
121.254.136.96	Active	Moloch
142.250.204.132	Active	Moloch
164.124.101.2	Active	Moloch
34.102.136.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49172 -> 121.254.136.96:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 121.254.136.96:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 121.254.136.96:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 121.254.136.96:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 142.250.204.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 142.250.204.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49172 121.254.136.96:443	C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2	CN=*.wsimg.com	4d:28:ab:b5:bb:e6:84:09:15:a9:80:a1:56:45:20:cb:87:93:83:a3
TLSv1 192.168.56.101:49173 121.254.136.96:443	C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2	CN=*.wsimg.com	4d:28:ab:b5:bb:e6:84:09:15:a9:80:a1:56:45:20:cb:87:93:83:a3
TLSv1 192.168.56.101:49171 121.254.136.96:443	C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2	CN=*.wsimg.com	4d:28:ab:b5:bb:e6:84:09:15:a9:80:a1:56:45:20:cb:87:93:83:a3
TLSv1 192.168.56.101:49174 121.254.136.96:443	C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2	CN=*.wsimg.com	4d:28:ab:b5:bb:e6:84:09:15:a9:80:a1:56:45:20:cb:87:93:83:a3
TLSv1 192.168.56.101:49170 142.250.204.132:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	b3:b0:16:6e:f3:c0:de:ca:50:3f:7a:12:0d:04:28:d8:68:3e:ba:7a
TLSv1 192.168.56.101:49169 142.250.204.132:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	b3:b0:16:6e:f3:c0:de:ca:50:3f:7a:12:0d:04:28:d8:68:3e:ba:7a

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 4, 2023, 2:03 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 104390944 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 104396896 registers.r11: 104392704 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1893682535 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 4, 2023, 2:03 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 104390944
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 104396896
registers.r11: 104392704
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1893682535
registers.r13: 0

Performs some HTTP requests (8 events)

request	GET http://engineeringsolutions.com.au/px.js?ch=1&abp=1
request	GET http://engineeringsolutions.com.au/wp-content/plugins/cach/coment/index.php
request	GET http://engineeringsolutions.com.au/px.js?ch=2&abp=1
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://img1.wsimg.com/parking-lander/static/js/0.40743286.chunk.js
request	GET https://img1.wsimg.com/parking-lander/static/js/main.727544c3.chunk.js
request	GET https://img1.wsimg.com/parking-lander/static/js/1.3fa140ef.chunk.js
request	GET https://www.google.com/adsense/domains/caf.js?abp=1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 region_size: 6819840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002d60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000032b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:02 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 2:03 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074213000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 region_size: 11538432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d76000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769c0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d4f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda37000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 4, 2023, 1:55 p.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef61000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2604 crashed
__exception__ March 4, 2023, 2:03 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 104390944 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 104396896 registers.r11: 104392704 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1893682535 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 2604 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

March 4, 2023, 2:03 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdba73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefd9243bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdbc5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdbc2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdc6af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdc6b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdbc48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefda50883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefda50ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefda50c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefd90a4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefd91d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefda5347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefda5122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefda53542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefd91d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefd91d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x769c98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefd91d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefda43e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefd8f0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefd8f0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\px[2].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\main.727544c3.chunk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\0.40743286.chunk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\px[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1.3fa140ef.chunk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\caf[1].js

Potentially malicious URLs were found in the process memory dump (50 out of 1484 events)

url	https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://uk.ask.com/favicon.ico
url	https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url	http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url	http://www.cnet.com/favicon.ico
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://csp.withgoogle.com/csp/ads-afs-ui
url	http://search.hanafos.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://search.livedoor.com/favicon.ico
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://s.pstatic.net/shopping.phinf/20211025_16/fb4391ad-80a4-4058-a54e-c294a35d0275.jpg?type=f214_292
url	http://blogimgs.naver.com/nblog/skins/happybean/bg-head.gif
url	http://www.amazon.co.jp/
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	http://yellowpages.superpages.com/
url	https://www.naver.com
url	https://s.pstatic.net/shopping.phinf/20211028_9/adf7905c-28ea-4ddf-93b2-aa96dad57752.jpg
url	https://img1.wsimg.com/parking-lander/static/js/1.3fa140ef.chunk.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2Fmobile_212629657646c.jpg%22
url	https://my.sendinblue.com/public/theme/version4/assets/images/loader_sblue.gif
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_163546934024588ZQX.jpg%22
url	https://ssl.pstatic.net/static/pwe/nm/sp_mail_setup_140716.png
url	http://search.sify.com/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/410.png
url	http://search.msn.com/results.aspx?q=
url	https://s.pstatic.net/shopping.phinf/20200731_21/4628ed28-27dc-4586-871c-f7f22524da89.jpg?type=f214_292
url	https://s.pstatic.net/imgshopping/static/sb/js/sb/nclktagS01_v1.js?v=2020080314
url	https://ssl.pstatic.net/tveta/libs/1299/1299024/c033376e145702a0a471_20200806171156016.jpg
url	https://fonts.googleapis.com/css?family=Open
url	http://isrg.trustid.ocsp.identrust.com0
url	http://si.wikipedia.org/w/api.php?action=opensearch
url	http://www.signatur.rtr.at/de/directory/cps.html0
url	http://search.ebay.fr/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/921.png
url	https://file-examples.com/wp-content/themes/file-examples/vendor/font-awesome/fonts/fontawesome-webfont.eot?
url	http://www.certplus.com/CRL/class3TS.crl0
url	https://s.pstatic.net/shopping.phinf/20200603_16/34b72b79-bb6a-40b2-b35d-ae82e0ee5115.jpg
url	http://it.wikipedia.org/favicon.ico
url	http://uk.ask.com/
url	https://fonts.gstatic.com/s/muli/v22/7Aulp_0qiz-aVz7u3PJLcUMYOFnOkEk30e4.woff
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211027_1095%2Fupload_1635293110459bqWPi.jpg%22
url	https://s.pstatic.net/static/www/img/uit/2020/sp_shop.4e0461.png
url	http://blogimgs.naver.com/blog20/blog/layout_photo/viewer2/btn_right.gif
url	http://www.google.cz/
url	http://search.ebay.co.uk/

Yara rule detected in process memory (50 out of 74 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2604 resumed a thread in remote process 2688
NtResumeThread March 4, 2023, 2:02 p.m.	thread_handle: 0x0000000000000330 suspend_count: 1 process_identifier: 2688	1	0	0

http://engineeringsolutions.com.au/wp-content/plugins/cach/coment/index.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All