Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2025, 3:47 a.m.	April 18, 2025, 3:50 a.m.

Size	362.3KB
Type	HTML document, ASCII text, with very long lines
MD5	`e030e64f0874a226ff367aac2c0fd45d`
SHA256	`051d4fc33d3eecee192ab3c4325eaac8eaf89d31ffa785a32458a958973e3474`
CRC32	`826D3572`
ssdeep	`3072:E6E6K65DBmuSH2/mtSaSESpS3S8S5SfALG9qF8OGF4KSkOqSES9glhGSnSVqSBS9:3Bme/folh+HcW0X`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\photo.htm
2612
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409
  2704

Name	Response	Post-Analysis Lookup
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	31.13.82.7

IP Address	Status	Action
157.240.215.14	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49166 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49175 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49170 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49165 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49167 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49169 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	16:e8:ac:11:c1:39:9b:a5:c8:88:4c:bf:b3:42:2e:17:41:e5:a9:79
TLSv1 192.168.56.101:49171 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49173 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49176 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49180 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9
TLSv1 192.168.56.101:49181 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9
TLSv1 192.168.56.101:49177 157.240.215.14:443	None	None	None

Performs some HTTP requests (9 events)

request	GET https://static.xx.fbcdn.net/rsrc.php/v5/yP/l/0,cross/hdizZSl7vs1pXN_QbzK5g5.css
request	GET https://static.xx.fbcdn.net/rsrc.php/v4ikYC4/ye/l/pl_PL/4UJPryDl6vQ.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4i1hI4/yB/l/pl_PL/iZlynKqupyeJxZpg7m_h7q81-kCxOHvH-jJTXU6VJG0Kqf4IO3ef2VeaNyM5x7xjrVVSiB1Bshw99hbqzKu9tM7F_Y7Xk1cp1ZY2YkxqMpyzfiubWjH6HmqBA3tJbBUoPL58XEhTixJo7zxRE8M1ZFyQWnT9xFtruSNYVw8-m6b_Uv7ObcEfnFd0zmg_Lq0Ssl_q8so13prljcrpG.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4i3Z54/y-/l/pl_PL/QI6a6eMB_Rd.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4ih9w4/yH/l/pl_PL/u5eNGFq3WhgRnT2Z3dd70t0BUXE7BctrMPOyxLFPsfmEuk8vLtdffcjlUV7BVDeuTY5KnvPi9YnXpZxNQZM-9qQm9FNo6EWfQ8TbUQ5LoxjLorwy1DKBSsTAnxMKEPueP2LsGoiMt_RY_Bx4ZxpRYeCkYXwettdgmkSZ1wuvR42D6xbRi0SBmuDjByG_AXEDxgHlco1Rdzuzi16ygzT1sbQZyoV41jlFha1shB9W520aphfApDHnsYNsuC0kULDczav0pBCHyQAQhgl2OqFfuFZO4v9aC1p55HfXW__mMzi95_wmB-51MKSPKuAkuWtGsXcG4xa-CQ.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4/yf/r/1Fs8rBQNSz9.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4ii3Z4/yC/l/pl_PL/yosNSWC8z_t.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4ioN94/ys/l/pl_PL/NuW542bho60.js
request	GET https://static.xx.fbcdn.net/rsrc.php/v4iiH84/y-/l/pl_PL/gYR6XdR5Jlz.js

Allocates read-write-execute memory (usually to unpack itself) (50 out of 53 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 region_size: 8327168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 region_size: 12849152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d76000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769c0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d4f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda37000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 3:47 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef66000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\gYR6XdR5Jlz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f2VeaNyM5x7xjrVVSiB1Bshw99hbqzKu9tM7F_Y7Xk1cp1ZY2YkxqMpyzfiubWjH6HmqBA3tJbBUoPL58XEhTixJo7zxRE8M1ZFyQWnT9xFtruSNYVw8-m6b_Uv7ObcEfnFd0zmg_Lq0Ssl_q8so13prljcrpG[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\NuW542bho60[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\6xbRi0SBmuDjByG_AXEDxgHlco1Rdzuzi16ygzT1sbQZyoV41jlFha1shB9W520aphfApDHnsYNsuC0kULDczav0pBCHyQAQhgl2OqFfuFZO4v9aC1p55HfXW__mMzi95_wmB-51MKSPKuAkuWtGsXcG4xa-CQ[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\EF7jToILK__lf3M2c5Ce6Plb3YOUAa1uxG-EqCVDoQ0oVKSOquY33KmXOwxbekaXW-tOaFqQKS5Mn_QtgU-AHdn23FrMyYD13V85S49rRGwNLnpvgcdl9Hz438Eq6_2Lh_Pb0SL6Gymh2vqmng1EqZ05_nr0AC[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\yosNSWC8z_t[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\1Fs8rBQNSz9[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\QI6a6eMB_Rd[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\4UJPryDl6vQ[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 18, 2025, 3:48 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff60000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2612 resumed a thread in remote process 2704
NtResumeThread April 18, 2025, 3:47 a.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2704	1	0	0

photo.htm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All