Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	Jan. 23, 2025, 5:02 a.m.	Jan. 23, 2025, 5:05 a.m.

Archive EvtxeCmd/Maps/System_EventLog_6005.map @ EvtxeCmd.zip

Size	1.4KB
Type	ASCII text
MD5	`9b956e67077c2bd31e97e8218005c269`
SHA1	`8aea50b4e1d34208a0fe7ce3f5f4a1272d578c58`
SHA256	`fece1cbab0167b5b27f54510ddb708c426c514077d9cc714d2ded3444e82c5d0`
SHA512	`f427fcf4d5c498e9fb5a989b4538a9c1a1893d545f27205970513b7e495c074b1891ffea5348b920a11997dfb72ca4a2c11dbc1f7933b432aafd81962e3613c0`
CRC32	`7DD01CA7`
ssdeep	`24:V2GOQaOxjkJuje54oy9stbcW8rF5Otrg45Qk/QrF4+Ub1w2TqRgQAIkb5fF:cGOQ7xG2mbcW8rOjsFUb1w2YghIk9fF`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\EvtxeCmd/Maps/System_EventLog_6005.map.html
1132
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1132 CREDAT:145409
  2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 1132 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 region_size: 7933952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077706000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077250000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe1a7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe496000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 21, 2025, 10:19 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 1335 events)

url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://find.joins.com/
url	http://uk.ask.com/favicon.ico
url	http://wwwimages.adobe.com/www.adobe.com/swf/software/flash/about/flash_about_793x170.swf
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1031%2Fupload_20063893240744871RiJjV.jpg%22
url	http://175.208.134.150:8282/test/test.eml
url	http://www.mercadolibre.com.mx/
url	http://www.iask.com/favicon.ico
url	http://ocsp.infonotary.com/responder.cgi0V
url	http://www3.fnac.com/
url	http://www.najdi.si/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/905.png
url	http://www.merlin.com.pl/favicon.ico
url	https://s.pstatic.net/static/www/mobile/edit/2020/1103/mobile_142459883835.gif
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://ssl.pstatic.net/static/nid/login/rw_captcha01.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	http://t.static.blog.naver.net/mylog/versioning/nhn.keywordHighlighter-99428789.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://www.firmaprofesional.com0
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1021%2Fupload_19201541624342101mWI1T.jpg%22
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://s.pstatic.net/shopping.phinf/20201103_21/701f9083-a72b-4ef6-ac1c-0daf1907c51d.jpg?type=f214_292
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://purl.org/rss/1.0/
url	http://search.interpark.com/
url	https://www.google.com/pagead/drt/ui

Yara rule detected in process memory (50 out of 75 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1132 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (5 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://175.208.134.150:8282/favicon.ico
url	http://192.168.3.119/
url	http://175.208.134.150:8282/test/exe1.zip
url	https://192.168.3.119/

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1132 resumed a thread in remote process 2152
NtResumeThread Jan. 21, 2025, 10:19 p.m.	thread_handle: 0x0000000000000370 suspend_count: 1 process_identifier: 2152	1	0	0

Archive EvtxeCmd/Maps/System_EventLog_6005.map @ EvtxeCmd.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All