Summary

URL Details

URL
https://phylact.fjcqdgw.cn/Rfuncc1013000extfunc/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.1 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
URL Feb. 1, 2026, 7:27 a.m. Feb. 1, 2026, 7:35 a.m. 476 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2026-02-01 00:09:18,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpqnr2dk
2026-02-01 00:09:18,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\ejubgrVFvsgtbxlkwmJyMhovqcU
2026-02-01 00:09:18,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\TExZwcNRraxbJiHV
2026-02-01 00:09:18,483 [analyzer] DEBUG: Started auxiliary module Curtain
2026-02-01 00:09:18,483 [analyzer] DEBUG: Started auxiliary module DbgView
2026-02-01 00:09:18,921 [analyzer] DEBUG: Started auxiliary module Disguise
2026-02-01 00:09:19,108 [analyzer] DEBUG: Loaded monitor into process with pid 504
2026-02-01 00:09:19,108 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-02-01 00:09:19,108 [analyzer] DEBUG: Started auxiliary module Human
2026-02-01 00:09:19,108 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-02-01 00:09:19,108 [analyzer] DEBUG: Started auxiliary module Reboot
2026-02-01 00:09:19,217 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-02-01 00:09:19,217 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-02-01 00:09:19,217 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-02-01 00:09:19,217 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-02-01 00:09:19,328 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['https://phylact.fjcqdgw.cn/Rfuncc1013000extfunc/'] and pid 2116
2026-02-01 00:09:19,483 [analyzer] DEBUG: Loaded monitor into process with pid 2116
2026-02-01 00:09:20,750 [analyzer] DEBUG: Following legitimate IE11 process: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2!
2026-02-01 00:09:20,828 [analyzer] INFO: Injected into process with pid 1468 and name u'iexplore.exe'
2026-02-01 00:09:20,905 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1468.
2026-02-01 00:09:21,062 [analyzer] DEBUG: Loaded monitor into process with pid 1468
2026-02-01 00:09:21,062 [analyzer] INFO: Added new file to list with pid 2116 and path C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DEB6B2F5-FEF9-11F0-B23A-80D4D9282D05}.dat
2026-02-01 00:09:21,092 [analyzer] INFO: Added new file to list with pid 2116 and path C:\Users\Administrator\AppData\Local\Temp\~DFF1A39326ACF27F6E.TMP
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2026-02-01 00:09:21,328 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2026-02-01 00:09:21,342 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2026-02-01 00:09:21,733 [analyzer] INFO: Added new file to list with pid 2116 and path C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DEB6B2F7-FEF9-11F0-B23A-80D4D9282D05}.dat
2026-02-01 00:09:21,780 [analyzer] INFO: Added new file to list with pid 2116 and path C:\Users\Administrator\AppData\Local\Temp\~DFF305C128362BDAA9.TMP
2026-02-01 00:09:24,921 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14232B434CF29D4C4FB335A86D7FFFE3
2026-02-01 00:09:24,921 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14232B434CF29D4C4FB335A86D7FFFE3
2026-02-01 00:09:24,921 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Cab407D.tmp
2026-02-01 00:09:24,937 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Tar407E.tmp
2026-02-01 00:09:24,967 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Cab408F.tmp
2026-02-01 00:09:24,983 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Tar4090.tmp
2026-02-01 00:09:25,030 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2026-02-01 00:09:25,046 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2026-02-01 00:09:25,046 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Cab40FE.tmp
2026-02-01 00:09:25,062 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Tar40FF.tmp
2026-02-01 00:09:25,078 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Cab4110.tmp
2026-02-01 00:09:25,078 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Tar4111.tmp
2026-02-01 00:09:25,217 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2026-02-01 00:09:25,217 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2026-02-01 00:09:25,280 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
2026-02-01 00:09:25,280 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
2026-02-01 00:09:25,312 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Cab420C.tmp
2026-02-01 00:09:25,328 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Temp\Tar420D.tmp
2026-02-01 00:09:25,342 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2026-02-01 00:09:25,358 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2026-02-01 00:09:25,421 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S3YTGQVJ\cf.errors[1].css
2026-02-01 00:09:25,578 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CPE5U1D\browser-bar[1].png
2026-02-01 00:09:25,578 [analyzer] INFO: Added new file to list with pid 1468 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CPE5U1D\cf-no-screenshot-error[1].png
2026-02-01 06:31:50,737 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2026-02-01 06:31:51,003 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 2116.
2026-02-01 06:31:51,082 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1468.
2026-02-01 06:31:51,378 [analyzer] INFO: Terminating remaining processes before shutdown.
2026-02-01 06:31:51,378 [lib.api.process] INFO: Successfully terminated process with pid 2116.
2026-02-01 06:31:51,378 [lib.api.process] INFO: Successfully terminated process with pid 1468.
2026-02-01 06:31:51,410 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cab408f.tmp' does not exist, skip.
2026-02-01 06:31:51,410 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tar40ff.tmp' does not exist, skip.
2026-02-01 06:31:51,424 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cab420c.tmp' does not exist, skip.
2026-02-01 06:31:51,440 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\~dff1a39326acf27f6e.tmp' does not exist, skip.
2026-02-01 06:31:51,440 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tar407e.tmp' does not exist, skip.
2026-02-01 06:31:51,440 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cab407d.tmp' does not exist, skip.
2026-02-01 06:31:51,440 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tar4111.tmp' does not exist, skip.
2026-02-01 06:31:51,440 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tar4090.tmp' does not exist, skip.
2026-02-01 06:31:51,457 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tar420d.tmp' does not exist, skip.
2026-02-01 06:31:51,471 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\~dff305c128362bdaa9.tmp' does not exist, skip.
2026-02-01 06:31:51,471 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cab4110.tmp' does not exist, skip.
2026-02-01 06:31:51,471 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cab40fe.tmp' does not exist, skip.
2026-02-01 06:31:51,471 [analyzer] INFO: Analysis completed.

Cuckoo Log

2026-02-01 07:27:18,150 [cuckoo.core.scheduler] INFO: Task #7396644: acquired machine win7x6415 (label=win7x6415)
2026-02-01 07:27:18,152 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.215 for task #7396644
2026-02-01 07:27:18,581 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3121618 (interface=vboxnet0, host=192.168.168.215)
2026-02-01 07:27:18,616 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6415
2026-02-01 07:27:19,808 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6415 to vmcloak
2026-02-01 07:31:12,903 [cuckoo.core.guest] INFO: Starting analysis #7396644 on guest (id=win7x6415, ip=192.168.168.215)
2026-02-01 07:31:13,910 [cuckoo.core.guest] DEBUG: win7x6415: not ready yet
2026-02-01 07:31:18,932 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6415, ip=192.168.168.215)
2026-02-01 07:31:19,035 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6415, ip=192.168.168.215, monitor=latest, size=6660546)
2026-02-01 07:31:20,374 [cuckoo.core.resultserver] DEBUG: Task #7396644: live log analysis.log initialized.
2026-02-01 07:31:21,436 [cuckoo.core.resultserver] DEBUG: Task #7396644 is sending a BSON stream
2026-02-01 07:31:21,812 [cuckoo.core.resultserver] DEBUG: Task #7396644 is sending a BSON stream
2026-02-01 07:31:23,019 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0001.jpg'
2026-02-01 07:31:23,033 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 133496
2026-02-01 07:31:23,437 [cuckoo.core.resultserver] DEBUG: Task #7396644 is sending a BSON stream
2026-02-01 07:31:24,152 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0002.jpg'
2026-02-01 07:31:24,167 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 66970
2026-02-01 07:31:25,311 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0003.jpg'
2026-02-01 07:31:25,315 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 30500
2026-02-01 07:31:26,343 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0004.jpg'
2026-02-01 07:31:26,346 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 30791
2026-02-01 07:31:28,458 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0005.jpg'
2026-02-01 07:31:28,463 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 50519
2026-02-01 07:31:35,223 [cuckoo.core.guest] DEBUG: win7x6415: analysis #7396644 still processing
2026-02-01 07:31:50,411 [cuckoo.core.guest] DEBUG: win7x6415: analysis #7396644 still processing
2026-02-01 07:31:51,201 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'curtain/1769923911.19.curtain.log'
2026-02-01 07:31:51,205 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 36
2026-02-01 07:31:51,361 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'sysmon/1769923911.36.sysmon.xml'
2026-02-01 07:31:51,377 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 1504448
2026-02-01 07:31:51,387 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/426dded92c254a2c_recoverystore.{deb6b2f5-fef9-11f0-b23a-80d4d9282d05}.dat'
2026-02-01 07:31:51,389 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 5632
2026-02-01 07:31:51,404 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/ebd41040e4bb3ec7_14232b434cf29d4c4fb335a86d7fffe3'
2026-02-01 07:31:51,409 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 889
2026-02-01 07:31:51,413 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/317d04ab17822780_14232b434cf29d4c4fb335a86d7fffe3'
2026-02-01 07:31:51,415 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 170
2026-02-01 07:31:51,423 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/84e3c77025ace5af_cf.errors[1].css'
2026-02-01 07:31:51,425 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 24051
2026-02-01 07:31:51,429 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/1c53772285052e52_cf-no-screenshot-error[1].png'
2026-02-01 07:31:51,431 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 3213
2026-02-01 07:31:51,434 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/70361fc5bd4a7fbf_8b2b9a00839eed1dfdccc3bfc2f5df12'
2026-02-01 07:31:51,436 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 1739
2026-02-01 07:31:51,439 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/f329045ff4616eeb_b46811c17859ffb409cf0e904a4aa8f8'
2026-02-01 07:31:51,440 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 170
2026-02-01 07:31:51,445 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/0662c61e5b815095_{deb6b2f7-fef9-11f0-b23a-80d4d9282d05}.dat'
2026-02-01 07:31:51,448 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 4096
2026-02-01 07:31:51,452 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/a9f29182e4ee171b_8b2b9a00839eed1dfdccc3bfc2f5df12'
2026-02-01 07:31:51,454 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 174
2026-02-01 07:31:51,460 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/33ba8221ff3f5211_94308059b57b3142e455b38a6eb92015'
2026-02-01 07:31:51,468 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/6fb1b8e593cb0388_b46811c17859ffb409cf0e904a4aa8f8'
2026-02-01 07:31:51,470 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 530
2026-02-01 07:31:51,472 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 73211
2026-02-01 07:31:51,473 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/8c873472f4925d5d_browser-bar[1].png'
2026-02-01 07:31:51,475 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 715
2026-02-01 07:31:51,476 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'files/992b7d3eac9db9b6_94308059b57b3142e455b38a6eb92015'
2026-02-01 07:31:51,477 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 344
2026-02-01 07:31:52,030 [cuckoo.core.resultserver] DEBUG: Task #7396644: File upload for 'shots/0006.jpg'
2026-02-01 07:31:52,041 [cuckoo.core.resultserver] DEBUG: Task #7396644 uploaded file length: 133447
2026-02-01 07:31:52,054 [cuckoo.core.resultserver] DEBUG: Task #7396644 had connection reset for <Context for LOG>
2026-02-01 07:31:53,422 [cuckoo.core.guest] INFO: win7x6415: analysis completed successfully
2026-02-01 07:31:53,433 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-02-01 07:31:53,458 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-02-01 07:31:54,828 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6415 to path /srv/cuckoo/cwd/storage/analyses/7396644/memory.dmp
2026-02-01 07:31:54,830 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6415
2026-02-01 07:35:14,295 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.215 for task #7396644
2026-02-01 07:35:14,680 [cuckoo.core.scheduler] DEBUG: Released database task #7396644
2026-02-01 07:35:14,706 [cuckoo.core.scheduler] INFO: Task #7396644: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (50 out of 339 events)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefec28000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefec28000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefec28000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdb3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdb16000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdb16000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdb16000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefb31b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b04000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd0a4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa34c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa364000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa2cb000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3bb4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefae1a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd2c2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1ce2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbcdb000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef512e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff19b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff19b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff19b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff19b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd511000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd5ff000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2116
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd628000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01096000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x753b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759d7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759d7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x759d7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x752c0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x752c0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x752c0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77011000
process_handle: 0xffffffff
1 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x05060000
process_handle: 0xffffffff
1 0 0
Uses Windows utilities for basic Windows functionality (1 event)
cmdline "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)
Process injection Process 2116 resumed a thread in remote process 1468
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000000000033c
suspend_count: 1
process_identifier: 1468
1 0 0
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.