Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	Jan. 22, 2025, 5:24 p.m.	Jan. 22, 2025, 5:26 p.m.

Archive OEBPS/19_Chapter_11.xhtml @ Cuckoo.epub

Size	32.1KB
Type	HTML document, UTF-8 Unicode text, with very long lines
MD5	`012c6b98b718c073c9d97274a9e557d0`
SHA1	`b5452b2b47617b7f510a815e620648b97c3c8f72`
SHA256	`1023adb36ab01c06e2db92f40f59c9ecaebc704657beb3c885b4d5a5b432ec99`
SHA512	`5865bce882014d5b7b7ef27612bbb288e5276c7a9641990781d8621e4f1d71ab6a7bafbcb293af33c48b54c464aec9372641a28cbfbeff8d55b0c4a711d67a65`
CRC32	`919688B9`
ssdeep	`768:/Rwx739vDZJpp00FkgqrV4pQsXHDa5GXBKdz:/w7ja0vqrCpJHu5GXEz`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\OEBPS/19_Chapter_11.xhtml.html
808
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:808 CREDAT:145409
  2068
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:808 CREDAT:79875
  2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Jan. 21, 2025, 12:25 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefe081bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefe081b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefe0817eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefe081417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefe0794fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefe079428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefe079b49 CreateExtensionGuidEnumerator+0x366f9 DllInstall-0x28b9b ieframe+0x8a9c1 @ 0x7fef54ea9c1 CreateExtensionGuidEnumerator+0xc0f6 DllInstall-0x5319e ieframe+0x603be @ 0x7fef54c03be CreateExtensionGuidEnumerator+0x1052d DllInstall-0x4ed67 ieframe+0x647f5 @ 0x7fef54c47f5 CreateExtensionGuidEnumerator+0x104b4 DllInstall-0x4ede0 ieframe+0x6477c @ 0x7fef54c477c CreateExtensionGuidEnumerator+0x103e6 DllInstall-0x4eeae ieframe+0x646ae @ 0x7fef54c46ae FastMimeGetFileExtension+0xd8c LCIEUnpackString-0xefd8 iertutil+0xc508 @ 0x774ac508 CreateExtensionGuidEnumerator+0x6185 DllInstall-0x5910f ieframe+0x5a44d @ 0x7fef54ba44d DllRegisterServer+0x3f3cb CreateExtensionGuidEnumerator-0x1100d ieframe+0x432bb @ 0x7fef54a32bb DllRegisterServer+0x557b CreateExtensionGuidEnumerator-0x4ae5d ieframe+0x946b @ 0x7fef546946b CreateExtensionGuidEnumerator+0x8fb DllInstall-0x5e999 ieframe+0x54bc3 @ 0x7fef54b4bc3 DllRegisterServer+0x537e CreateExtensionGuidEnumerator-0x4b05a ieframe+0x926e @ 0x7fef546926e DllRegisterServer+0x54b3 CreateExtensionGuidEnumerator-0x4af25 ieframe+0x93a3 @ 0x7fef54693a3 iexplore+0x17d9 @ 0x11217d9 iexplore+0x1a65 @ 0x1121a65 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 2870576 registers.rsi: 0 registers.r10: 5002480 registers.rbx: 0 registers.rsp: 2881872 registers.r11: 2872336 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002106181 registers.r13: 0	1
__exception__ Jan. 21, 2025, 12:25 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xa4088 windowscodecs+0xa704c @ 0x7fefbdd704c IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x69c50 windowscodecs+0x6cc14 @ 0x7fefbd9cc14 IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x692e8 windowscodecs+0x6c2ac @ 0x7fefbd9c2ac IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd3265 windowscodecs+0xd6229 @ 0x7fefbe06229 IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd20fa windowscodecs+0xd50be @ 0x7fefbe050be CTravelLog_CreateInstance+0x6f515 DllCanUnloadNow-0x92fdf mshtml+0x3669c1 @ 0x727c69c1 CTravelLog_CreateInstance+0x6ef60 DllCanUnloadNow-0x93594 mshtml+0x36640c @ 0x727c640c CTravelLog_CreateInstance+0x6cc1c DllCanUnloadNow-0x958d8 mshtml+0x3640c8 @ 0x727c40c8 CTravelLog_CreateInstance+0x6cb7c DllCanUnloadNow-0x95978 mshtml+0x364028 @ 0x727c4028 CreateFiberEx+0x27d LCIDToLocaleName-0x23 kernel32+0x8fed @ 0x76fc8fed exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc0000002 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 87617568 registers.rsi: 0 registers.r10: 156 registers.rbx: 0 registers.rsp: 87620256 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1917226420 registers.r13: 0	1
__exception__ Jan. 21, 2025, 12:26 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2 DllRegisterServer+0x167bc CreateExtensionGuidEnumerator-0x39c1c ieframe+0x1a6ac @ 0x7fef547a6ac DllRegisterServer+0x33caa CreateExtensionGuidEnumerator-0x1c72e ieframe+0x37b9a @ 0x7fef5497b9a DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef5497ae4 FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x774b53cf DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef5478c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 58247024 registers.rsi: 0 registers.r10: 4633744 registers.rbx: 0 registers.rsp: 58260672 registers.r11: 58248784 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1946505239 registers.r13: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 21, 2025, 12:25 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2
ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefe081bb3
ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefe081b22
CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefe0817eb
CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefe081417
CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefe0794fa
CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefe079428
CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefe079b49
CreateExtensionGuidEnumerator+0x366f9 DllInstall-0x28b9b ieframe+0x8a9c1 @ 0x7fef54ea9c1
CreateExtensionGuidEnumerator+0xc0f6 DllInstall-0x5319e ieframe+0x603be @ 0x7fef54c03be
CreateExtensionGuidEnumerator+0x1052d DllInstall-0x4ed67 ieframe+0x647f5 @ 0x7fef54c47f5
CreateExtensionGuidEnumerator+0x104b4 DllInstall-0x4ede0 ieframe+0x6477c @ 0x7fef54c477c
CreateExtensionGuidEnumerator+0x103e6 DllInstall-0x4eeae ieframe+0x646ae @ 0x7fef54c46ae
FastMimeGetFileExtension+0xd8c LCIEUnpackString-0xefd8 iertutil+0xc508 @ 0x774ac508
CreateExtensionGuidEnumerator+0x6185 DllInstall-0x5910f ieframe+0x5a44d @ 0x7fef54ba44d
DllRegisterServer+0x3f3cb CreateExtensionGuidEnumerator-0x1100d ieframe+0x432bb @ 0x7fef54a32bb
DllRegisterServer+0x557b CreateExtensionGuidEnumerator-0x4ae5d ieframe+0x946b @ 0x7fef546946b
CreateExtensionGuidEnumerator+0x8fb DllInstall-0x5e999 ieframe+0x54bc3 @ 0x7fef54b4bc3
DllRegisterServer+0x537e CreateExtensionGuidEnumerator-0x4b05a ieframe+0x926e @ 0x7fef546926e
DllRegisterServer+0x54b3 CreateExtensionGuidEnumerator-0x4af25 ieframe+0x93a3 @ 0x7fef54693a3
iexplore+0x17d9 @ 0x11217d9
iexplore+0x1a65 @ 0x1121a65
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 2870576
registers.rsi: 0
registers.r10: 5002480
registers.rbx: 0
registers.rsp: 2881872
registers.r11: 2872336
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2002106181
registers.r13: 0

__exception__

Jan. 21, 2025, 12:25 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xa4088 windowscodecs+0xa704c @ 0x7fefbdd704c
IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x69c50 windowscodecs+0x6cc14 @ 0x7fefbd9cc14
IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x692e8 windowscodecs+0x6c2ac @ 0x7fefbd9c2ac
IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd3265 windowscodecs+0xd6229 @ 0x7fefbe06229
IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd20fa windowscodecs+0xd50be @ 0x7fefbe050be
CTravelLog_CreateInstance+0x6f515 DllCanUnloadNow-0x92fdf mshtml+0x3669c1 @ 0x727c69c1
CTravelLog_CreateInstance+0x6ef60 DllCanUnloadNow-0x93594 mshtml+0x36640c @ 0x727c640c
CTravelLog_CreateInstance+0x6cc1c DllCanUnloadNow-0x958d8 mshtml+0x3640c8 @ 0x727c40c8
CTravelLog_CreateInstance+0x6cb7c DllCanUnloadNow-0x95978 mshtml+0x364028 @ 0x727c4028
CreateFiberEx+0x27d LCIDToLocaleName-0x23 kernel32+0x8fed @ 0x76fc8fed

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000002
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 87617568
registers.rsi: 0
registers.r10: 156
registers.rbx: 0
registers.rsp: 87620256
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1917226420
registers.r13: 0

__exception__

Jan. 21, 2025, 12:26 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2
DllRegisterServer+0x167bc CreateExtensionGuidEnumerator-0x39c1c ieframe+0x1a6ac @ 0x7fef547a6ac
DllRegisterServer+0x33caa CreateExtensionGuidEnumerator-0x1c72e ieframe+0x37b9a @ 0x7fef5497b9a
DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef5497ae4
FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x774b53cf
DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef5478c57
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 42141
exception.address: 0x7fefdbfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 58247024
registers.rsi: 0
registers.r10: 4633744
registers.rbx: 0
registers.rsp: 58260672
registers.r11: 58248784
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1946505239
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 region_size: 15273984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 808 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 region_size: 14290944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077706000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077250000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe1a7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe496000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (6 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 808 crashed
Application Crash	Process iexplore.exe with pid 2068 crashed
Application Crash	Process iexplore.exe with pid 2632 crashed
__exception__ Jan. 21, 2025, 12:25 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7fefe081bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7fefe081b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7fefe0817eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7fefe081417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7fefe0794fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7fefe079428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7fefe079b49 CreateExtensionGuidEnumerator+0x366f9 DllInstall-0x28b9b ieframe+0x8a9c1 @ 0x7fef54ea9c1 CreateExtensionGuidEnumerator+0xc0f6 DllInstall-0x5319e ieframe+0x603be @ 0x7fef54c03be CreateExtensionGuidEnumerator+0x1052d DllInstall-0x4ed67 ieframe+0x647f5 @ 0x7fef54c47f5 CreateExtensionGuidEnumerator+0x104b4 DllInstall-0x4ede0 ieframe+0x6477c @ 0x7fef54c477c CreateExtensionGuidEnumerator+0x103e6 DllInstall-0x4eeae ieframe+0x646ae @ 0x7fef54c46ae FastMimeGetFileExtension+0xd8c LCIEUnpackString-0xefd8 iertutil+0xc508 @ 0x774ac508 CreateExtensionGuidEnumerator+0x6185 DllInstall-0x5910f ieframe+0x5a44d @ 0x7fef54ba44d DllRegisterServer+0x3f3cb CreateExtensionGuidEnumerator-0x1100d ieframe+0x432bb @ 0x7fef54a32bb DllRegisterServer+0x557b CreateExtensionGuidEnumerator-0x4ae5d ieframe+0x946b @ 0x7fef546946b CreateExtensionGuidEnumerator+0x8fb DllInstall-0x5e999 ieframe+0x54bc3 @ 0x7fef54b4bc3 DllRegisterServer+0x537e CreateExtensionGuidEnumerator-0x4b05a ieframe+0x926e @ 0x7fef546926e DllRegisterServer+0x54b3 CreateExtensionGuidEnumerator-0x4af25 ieframe+0x93a3 @ 0x7fef54693a3 iexplore+0x17d9 @ 0x11217d9 iexplore+0x1a65 @ 0x1121a65 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 2870576 registers.rsi: 0 registers.r10: 5002480 registers.rbx: 0 registers.rsp: 2881872 registers.r11: 2872336 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002106181 registers.r13: 0	1	0	0
__exception__ Jan. 21, 2025, 12:25 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xa4088 windowscodecs+0xa704c @ 0x7fefbdd704c IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x69c50 windowscodecs+0x6cc14 @ 0x7fefbd9cc14 IWICBitmapCodecInfo_GetDeviceModels_Proxy+0x692e8 windowscodecs+0x6c2ac @ 0x7fefbd9c2ac IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd3265 windowscodecs+0xd6229 @ 0x7fefbe06229 IWICBitmapCodecInfo_GetDeviceModels_Proxy+0xd20fa windowscodecs+0xd50be @ 0x7fefbe050be CTravelLog_CreateInstance+0x6f515 DllCanUnloadNow-0x92fdf mshtml+0x3669c1 @ 0x727c69c1 CTravelLog_CreateInstance+0x6ef60 DllCanUnloadNow-0x93594 mshtml+0x36640c @ 0x727c640c CTravelLog_CreateInstance+0x6cc1c DllCanUnloadNow-0x958d8 mshtml+0x3640c8 @ 0x727c40c8 CTravelLog_CreateInstance+0x6cb7c DllCanUnloadNow-0x95978 mshtml+0x364028 @ 0x727c4028 CreateFiberEx+0x27d LCIDToLocaleName-0x23 kernel32+0x8fed @ 0x76fc8fed exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc0000002 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 87617568 registers.rsi: 0 registers.r10: 156 registers.rbx: 0 registers.rsp: 87620256 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1917226420 registers.r13: 0	1	0	0
__exception__ Jan. 21, 2025, 12:26 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdf373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe1c62ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7fefdffb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7fefe1c21d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe07d8a2 DllRegisterServer+0x167bc CreateExtensionGuidEnumerator-0x39c1c ieframe+0x1a6ac @ 0x7fef547a6ac DllRegisterServer+0x33caa CreateExtensionGuidEnumerator-0x1c72e ieframe+0x37b9a @ 0x7fef5497b9a DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef5497ae4 FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x774b53cf DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef5478c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 58247024 registers.rsi: 0 registers.r10: 4633744 registers.rbx: 0 registers.rsp: 58260672 registers.r11: 58248784 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1946505239 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:808 CREDAT:145409
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:808 CREDAT:79875

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 808 resumed a thread in remote process 2068
Process injection	Process 808 resumed a thread in remote process 2632
NtResumeThread Jan. 21, 2025, 12:25 p.m.	thread_handle: 0x0000000000000364 suspend_count: 1 process_identifier: 2068	1	0	0
NtResumeThread Jan. 21, 2025, 12:25 p.m.	thread_handle: 0x00000000000004f8 suspend_count: 1 process_identifier: 2632	1	0	0

Archive OEBPS/19_Chapter_11.xhtml @ Cuckoo.epub

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All