Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6402	May 7, 2025, 4:01 a.m.	May 7, 2025, 4:03 a.m.

Archive 114_Shortcuts_journal @ url_analysis.html.zip

Size	21.1KB
Type	data
MD5	`3d14e3b20b4fbdc9e1239a9a868d6d61`
SHA1	`8faaea56f6dfa49a2dcf19ceea704654169a8c5a`
SHA256	`0c2a64b70ad8bf10fb1e3edf393ddfd1c33a465ddf8a16fd3d522dedf502fe64`
SHA512	`357f273f8c6f1fe41c5fdc5eb02811c535c038339dfc49ef7c3e61d35a166f488d72520a71ab1e073ee12487057b822b6eaec8c7b470d50c955addc97783befa`
CRC32	`74C41692`
ssdeep	`48:tnT1UWXQSkWg3NlQ83LqQU2MZYFg/vshMHnPSkWd9:VWWXQZT3/Q83LfM2FgXshePZO`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\114_Shortcuts_journal.html
1636
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1636 CREDAT:145409
  1376

Name	Response	Post-Analysis Lookup
cacerts.digicert.com	CNAME crl.edge.digicert.com A 23.36.55.181 CNAME cac-ocsp.digicert.com.edgekey.net CNAME e3913.cd.akamaiedge.net	118.214.79.16

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.36.55.181	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49166 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	b2:4f:3d:bf:b7:4e:09:4d:12:54:6c:82:6e:50:6d:72:8f:49:b1:1a
TLSv1 192.168.56.102:49167 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	b2:4f:3d:bf:b7:4e:09:4d:12:54:6c:82:6e:50:6d:72:8f:49:b1:1a

Performs some HTTP requests (1 event)

request

GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 region_size: 11014144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002300000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 region_size: 5050368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077186000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077181000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ba0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe117000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe1000 process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 7, 2025, 3:39 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 1376 events)

url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://uk.ask.com/favicon.ico
url	http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://www.semicolonworld.com/public/editor/scripts/page-demo.js
url	http://search.hanafos.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	http://blogimgs.naver.com/nblog/skins/happybean/bg-head.gif
url	http://www.amazon.co.jp/
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fpost.phinf%2FMjAyMTEwMjlfMTQ3%2FMDAxNjM1NDg5NTkwMjQx.ReMWjfEUt2fOdmDqHuEmEcs2X8GrpU2KpHwlmdHk5skg.KuUSowFolmcR9Pxn2AE1zZwgw3UJzE0hlG6-EBrIshwg.JPEG%2FI9Wqi9529GscsPCReR8LklApnJCw.jpg%3Ftype%3Df339_222_q90%22
url	https://www.semicolonworld.com/uploads/article-python.jpg
url	http://yellowpages.superpages.com/
url	https://www.naver.com
url	http://ocsp.digicert.com0
url	https://my.sendinblue.com/public/theme/version4/assets/images/loader_sblue.gif
url	https://ssl.pstatic.net/static/pwe/nm/sp_mail_setup_140716.png
url	http://search.sify.com/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/410.png
url	http://search.msn.com/results.aspx?q=
url	http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
url	http://oneocsp.microsoft.com/ocsp0
url	https://csp.withgoogle.com/csp/report-to/images-tbn
url	http://isrg.trustid.ocsp.identrust.com0
url	http://si.wikipedia.org/w/api.php?action=opensearch
url	http://www.signatur.rtr.at/de/directory/cps.html0
url	http://search.ebay.fr/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/809.png
url	http://www.certplus.com/CRL/class3TS.crl0
url	http://it.wikipedia.org/favicon.ico
url	http://uk.ask.com/
url	https://s.pstatic.net/shopping.phinf/20211021_15/4f83a02f-21a6-444f-9737-f224e18a744f.jpg?type=f214_292
url	https://www.semicolonworld.com/public/editor/scripts/hotkeys.js
url	http://blogimgs.naver.com/blog20/blog/layout_photo/viewer2/btn_right.gif
url	http://www.google.cz/
url	http://search.ebay.co.uk/
url	https://rcaptcha.nid.naver.com/rcaptUi?key=6pAdObHNP9C8Df
url	https://nid.naver.com/login/ext/deviceConfirm.nhn?svctype=1
url	http://crl.verisign.com/pca3.crl0
url	http://www.weather.com/
url	http://www.news.com.au/favicon.ico
url	http://blogimgs.naver.net/blog20/blog/layout_photo/viewer2/btn_right.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/947.png
url	https://s.pstatic.net/static/www/img/uit/2021/sp_main_57f073.png
url	http://www.linternaute.com/favicon.ico
url	http://ns.adobe.com/photoshop/1.0/

Yara rule detected in process memory (50 out of 74 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1636 CREDAT:145409

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (4 events)

url	https://192.168.3.119/
url	http://175.208.134.150:8282/favicon.ico
url	http://192.168.3.119/
url	http://175.208.134.150:8282/test/test.eml

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1636 resumed a thread in remote process 1376
NtResumeThread May 7, 2025, 3:39 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 1376	1	0	0

Archive 114_Shortcuts_journal @ url_analysis.html.zip

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All