US 12,216,760 B2
Method and apparatus to identify creator of com process created using ole automation
Manish Kumar, Cork (IE); and Jonathan L. Edwards, Portland, OR (US)
Assigned to Musarubra US LLC, San Jose, CA (US)
Filed by Musarubra US LLC, Plano, TX (US)
Filed on Oct. 29, 2021, as Appl. No. 17/514,437.
Prior Publication US 2023/0136586 A1, May 4, 2023
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/56 (2013.01) [G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. An apparatus comprising:
interface circuitry;
machine-readable instructions; and
at least one processor circuit to be programmed by the machine-readable instructions to:
capture a first event message for a first event in an event log, the first event message including a first ID of the first event, and a first timestamp;
capture a second event message for a second event in the event log, the second event message including a second ID of the second event, the second ID different than the first ID, and a second timestamp occurring after the first timestamp;
identify a second process based on the second event message;
determine that the second process was created by a component object model (COM) call, at least in part based on the second ID;
determine that a first process initiated the COM call, at least in part based on the first event message and the second event message; and
execute a malware scan of a parent of the first process, at least in part based on the determination that the first process initiated the COM call.