Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 7, 2023, 10:06 a.m.	July 7, 2023, 10:08 a.m.

Size	176.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`f6b00338f9b1aa52396ffb72af40bf04`
SHA256	`0c1c8817ed04083d518e343d8eb01bcb594618a5820890eb69440021f5e1d491`
CRC32	`3925A2BE`
ssdeep	`3:gAXYOkADFoCH+nUQPxWA7p1YctBbBFadEQGHYD3HyBhAIlP5MezbAkTC3BNAIMv:7XOmm/zWADYk/FBQGO3uHzbAcANVMv`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\page.html
2272
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2272 CREDAT:145409
  2364

Name	Response	Post-Analysis Lookup
clients2.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com A 142.250.204.129	142.250.76.129
dhqidctjo3ugevk9u5sev1r.webdav.drivehq.com	A 66.220.9.58	66.220.9.58
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
accounts.google.com	A 142.250.66.77	172.217.25.173
dhqidlnsxx2qigisdvn7x2f.webdav.drivehq.com	A 66.220.9.58	66.220.9.58
bit.ly	A 67.199.248.11 A 67.199.248.10	67.199.248.11
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.18
apis.google.com	A 142.250.204.46 CNAME plus.l.google.com	142.250.76.142
www.google.com	A 142.250.66.132	142.250.207.100
_googlecast._tcp.local
fonts.gstatic.com	A 172.217.24.99	142.250.206.195
fonts.googleapis.com	A 142.250.204.74	142.250.206.202
p13n.adobe.io	A 3.219.243.226 A 3.233.129.217 A 52.22.41.97 A 52.6.155.20	54.224.241.105
clientservices.googleapis.com	A 216.58.200.227	172.217.25.163
pdf-readonline.website	A 45.83.122.52	45.83.122.52
www.smartsheet.com	CNAME cdn.amazee.io CNAME amazeeio.map.fastly.net A 146.75.50.191	151.101.194.191
www.gstatic.com	A 142.250.204.35	142.250.76.131
dhqid45r064utd5gygt2jy6.webdav.drivehq.com	A 66.220.9.58	66.220.9.58

IP Address	Status	Action
121.254.136.27	Active	Moloch
142.250.204.110	Active	Moloch
142.250.204.129	Active	Moloch
142.250.204.35	Active	Moloch
142.250.204.46	Active	Moloch
142.250.204.74	Active	Moloch
142.250.207.99	Active	Moloch
142.250.66.132	Active	Moloch
142.250.66.77	Active	Moloch
146.75.50.191	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.99	Active	Moloch
216.58.200.227	Active	Moloch
34.104.35.123	Active	Moloch
45.83.122.52	Active	Moloch
52.6.155.20	Active	Moloch
66.220.9.58	Active	Moloch
67.199.248.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 146.75.50.191:443 -> 192.168.56.102:49241	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49243 -> 146.75.50.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 146.75.50.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 146.75.50.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 146.75.50.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 146.75.50.191:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49173 142.250.66.132:443	None	None	None
TLS 1.3 192.168.56.102:49174 142.250.66.132:443	None	None	None
TLS 1.3 192.168.56.102:49175 142.250.66.132:443	None	None	None
TLS 1.3 192.168.56.102:49178 142.250.204.35:443	None	None	None
TLS 1.3 192.168.56.102:49179 142.250.204.35:443	None	None	None
TLS 1.3 192.168.56.102:49177 216.58.200.227:443	None	None	None
TLS 1.3 192.168.56.102:49181 142.250.204.74:443	None	None	None
TLS 1.3 192.168.56.102:49180 142.250.204.35:443	None	None	None
TLS 1.3 192.168.56.102:49182 172.217.24.99:443	None	None	None
TLS 1.3 192.168.56.102:49183 142.250.204.46:443	None	None	None
TLS 1.3 192.168.56.102:49176 142.250.66.77:443	None	None	None
TLS 1.3 192.168.56.102:49195 142.250.204.129:443	None	None	None
TLS 1.2 192.168.56.102:49187 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLS 1.2 192.168.56.102:49186 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLS 1.2 192.168.56.102:49198 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLS 1.2 192.168.56.102:49194 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLS 1.2 192.168.56.102:49196 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLSv1 192.168.56.102:49207 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLSv1 192.168.56.102:49208 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLS 1.2 192.168.56.102:49199 45.83.122.52:443	C=US, O=Let's Encrypt, CN=R3	CN=pdf-readonline.website	19:86:91:ef:29:9d:9a:a1:83:ca:a4:b0:32:65:04:3d:46:87:28:1d
TLS 1.3 192.168.56.102:49200 142.250.204.110:443	None	None	None
TLSv1 192.168.56.102:49203 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLSv1 192.168.56.102:49205 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLSv1 192.168.56.102:49216 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLSv1 192.168.56.102:49212 66.220.9.58:443	C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2	CN=*.webdav.drivehq.com	a6:bb:84:e8:8d:62:93:e2:b5:60:36:d3:c4:9b:9e:6b:00:7a:a5:82
TLS 1.3 192.168.56.102:49221 142.250.207.99:443	None	None	None
TLS 1.3 192.168.56.102:49222 142.250.204.35:443	None	None	None
TLS 1.3 192.168.56.102:49225 52.6.155.20:443	None	None	None
TLS 1.3 192.168.56.102:49226 52.6.155.20:443	None	None	None
TLS 1.2 192.168.56.102:49229 23.45.56.171:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Jose, O=Adobe Inc, CN=*.adobe.com	b5:2f:f2:ba:e6:6a:d7:82:1c:df:03:c5:51:6c:84:5f:9e:70:0d:71
TLS 1.3 192.168.56.102:49192 142.250.207.99:443	None	None	None
TLS 1.2 192.168.56.102:49230 23.45.56.171:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Jose, O=Adobe Inc, CN=*.adobe.com	b5:2f:f2:ba:e6:6a:d7:82:1c:df:03:c5:51:6c:84:5f:9e:70:0d:71

Performs some HTTP requests (5 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://www.gstatic.com/generate_204
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3
request	GET http://bit.ly/2TwPVOe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 112 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 region_size: 8851456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000034e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003770000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:07 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 region_size: 13635584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 7, 2023, 10:06 a.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2272 CREDAT:145409

Communicates with host for which no DNS query was performed (2 events)

host	142.250.204.110
host	142.250.207.99

One or more non-whitelisted processes were created (2 events)

parent_process	iexplore.exe				martian_process	search-ms:query=Invoice_541266&crumb=location://dhqidlnsxx2qigisdvn7x2f.webdav.drivehq.com@SSL/DavWWWRoot&displayname=Search
parent_process	iexplore.exe				martian_process	search-ms:query=Invoice_541266&crumb=location:\\dhqidlnsxx2qigisdvn7x2f.webdav.drivehq.com@SSL\DavWWWRoot&displayname=Search

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 resumed a thread in remote process 2364
NtResumeThread July 7, 2023, 10:06 a.m.	thread_handle: 0x000000000000035c suspend_count: 1 process_identifier: 2364	1	0	0

page.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All