From 1e91775a7f7202088b456721beb99342be8a0ade Mon Sep 17 00:00:00 2001 From: patrykkopycinski Date: Fri, 24 Jan 2020 00:11:13 +0100 Subject: [PATCH 01/10] [SIEM] Overview Page - Expand Winlogbeat Stats (#55696) --- .../siem/cypress/fixtures/overview.json | 3 +- .../integration/lib/overview/selectors.ts | 13 ++++-- .../__snapshots__/index.test.tsx.snap | 42 ++++++++++++++++--- .../overview/overview_host_stats/index.tsx | 21 ++++++++-- .../page/overview/overview_host_stats/mock.ts | 3 +- .../public/components/page/overview/types.ts | 3 +- .../overview/overview_host/index.gql_query.ts | 3 +- .../siem/public/graphql/introspection.json | 10 ++++- .../plugins/siem/public/graphql/types.ts | 8 +++- .../server/graphql/overview/schema.gql.ts | 3 +- .../plugins/siem/server/graphql/types.ts | 19 +++++++-- .../lib/overview/elastic_adapter.test.ts | 6 ++- .../lib/overview/elasticsearch_adapter.ts | 11 ++++- .../plugins/siem/server/lib/overview/mock.ts | 12 +++++- .../siem/server/lib/overview/query.dsl.ts | 18 +++++++- .../translations/translations/ja-JP.json | 1 - .../translations/translations/zh-CN.json | 1 - .../apis/siem/overview_host.ts | 3 +- 18 files changed, 147 insertions(+), 33 deletions(-) diff --git a/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json b/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json index cc1996909562d22..893661a69304340 100644 --- a/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json +++ b/x-pack/legacy/plugins/siem/cypress/fixtures/overview.json @@ -29,7 +29,8 @@ "endgameRegistry": 396, "endgameSecurity": 397, "filebeatSystemModule": 890, - "winlogbeat": 100, + "winlogbeatSecurity": 70, + "winlogbeatMWSysmonOperational": 30, "__typename": "OverviewHostData" }, "__typename": "Source" diff --git a/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts b/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts index a8af321ff9832db..95facc897440098 100644 --- a/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts +++ b/x-pack/legacy/plugins/siem/cypress/integration/lib/overview/selectors.ts @@ -61,9 +61,13 @@ export const STAT_USER = { value: '789', domId: '[data-test-subj="host-stat-auditbeatUser"]', }; -export const STAT_WINLOGBEAT = { - value: '100', - domId: '[data-test-subj="host-stat-winlogbeat"]', +export const STAT_WINLOGBEAT_SECURITY = { + value: '70', + domId: '[data-test-subj="host-stat-winlogbeatSecurity"]', +}; +export const STAT_WINLOGBEAT_MWSYSMON_OPERATIONAL = { + value: '30', + domId: '[data-test-subj="host-stat-winlogbeatMWSysmonOperational"]', }; export const HOST_STATS = [ @@ -81,7 +85,8 @@ export const HOST_STATS = [ STAT_PACKAGE, STAT_PROCESS, STAT_USER, - STAT_WINLOGBEAT, + STAT_WINLOGBEAT_SECURITY, + STAT_WINLOGBEAT_MWSYSMON_OPERATIONAL, ]; // Network Stats diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap index ac4d3036046b32d..ea2e8d90b89dce7 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/__snapshots__/index.test.tsx.snap @@ -602,7 +602,7 @@ exports[`Overview Host Stat Data rendering it renders the default OverviewHostSt > + + + + + + + + + + + + id: 'filebeatSystemModule', }, { - count: data.winlogbeat ?? 0, + count: data.winlogbeatSecurity ?? 0, title: ( - + + ), + id: 'winlogbeatSecurity', + }, + { + count: data.winlogbeatMWSysmonOperational ?? 0, + title: ( + ), - id: 'winlogbeat', + id: 'winlogbeatMWSysmonOperational', }, ]; @@ -182,7 +195,7 @@ const hostStatGroups: StatGroup[] = [ defaultMessage="Winlogbeat" /> ), - statIds: ['winlogbeat'], + statIds: ['winlogbeatSecurity', 'winlogbeatMWSysmonOperational'], }, ]; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts index c7adb13657760c0..60e653caab8c10a 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/mock.ts @@ -22,6 +22,7 @@ export const mockData: { OverviewHost: OverviewHostData } = { endgameRegistry: 39161718, endgameSecurity: 39202122, filebeatSystemModule: 568, - winlogbeat: 296999, + winlogbeatSecurity: 195929, + winlogbeatMWSysmonOperational: 101070, }, }; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts b/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts index 9333aa386dbc067..e260f2843692ddb 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/types.ts @@ -28,7 +28,8 @@ export type OverviewStatId = | 'packetbeatDNS' | 'packetbeatFlow' | 'packetbeatTLS' - | 'winlogbeat'; + | 'winlogbeatSecurity' + | 'winlogbeatMWSysmonOperational'; export interface FormattedStat { count: number; diff --git a/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts b/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts index 76f061a0a33d0b4..6f17bf6915aa457 100644 --- a/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts +++ b/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.gql_query.ts @@ -31,7 +31,8 @@ export const overviewHostQuery = gql` endgameRegistry endgameSecurity filebeatSystemModule - winlogbeat + winlogbeatSecurity + winlogbeatMWSysmonOperational inspect @include(if: $inspect) { dsl response diff --git a/x-pack/legacy/plugins/siem/public/graphql/introspection.json b/x-pack/legacy/plugins/siem/public/graphql/introspection.json index 7b9842fa2c2bce8..35599827ffe42d6 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json +++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json @@ -9291,7 +9291,15 @@ "deprecationReason": null }, { - "name": "winlogbeat", + "name": "winlogbeatSecurity", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, + { + "name": "winlogbeatMWSysmonOperational", "description": "", "args": [], "type": { "kind": "SCALAR", "name": "Float", "ofType": null }, diff --git a/x-pack/legacy/plugins/siem/public/graphql/types.ts b/x-pack/legacy/plugins/siem/public/graphql/types.ts index b13e295a8e1683d..4b6825268403cb4 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts @@ -1847,7 +1847,9 @@ export interface OverviewHostData { filebeatSystemModule?: Maybe; - winlogbeat?: Maybe; + winlogbeatSecurity?: Maybe; + + winlogbeatMWSysmonOperational?: Maybe; inspect?: Maybe; } @@ -4029,7 +4031,9 @@ export namespace GetOverviewHostQuery { filebeatSystemModule: Maybe; - winlogbeat: Maybe; + winlogbeatSecurity: Maybe; + + winlogbeatMWSysmonOperational: Maybe; inspect: Maybe; }; diff --git a/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts b/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts index bbb93ac42b6da12..7ab4f9fdb18d6cd 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/overview/schema.gql.ts @@ -35,7 +35,8 @@ export const overviewSchema = gql` endgameRegistry: Float endgameSecurity: Float filebeatSystemModule: Float - winlogbeat: Float + winlogbeatSecurity: Float + winlogbeatMWSysmonOperational: Float inspect: Inspect } diff --git a/x-pack/legacy/plugins/siem/server/graphql/types.ts b/x-pack/legacy/plugins/siem/server/graphql/types.ts index 4a2119b6f76313e..bc7486777b99067 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts @@ -1849,7 +1849,9 @@ export interface OverviewHostData { filebeatSystemModule?: Maybe; - winlogbeat?: Maybe; + winlogbeatSecurity?: Maybe; + + winlogbeatMWSysmonOperational?: Maybe; inspect?: Maybe; } @@ -7831,7 +7833,13 @@ export namespace OverviewHostDataResolvers { filebeatSystemModule?: FilebeatSystemModuleResolver, TypeParent, TContext>; - winlogbeat?: WinlogbeatResolver, TypeParent, TContext>; + winlogbeatSecurity?: WinlogbeatSecurityResolver, TypeParent, TContext>; + + winlogbeatMWSysmonOperational?: WinlogbeatMwSysmonOperationalResolver< + Maybe, + TypeParent, + TContext + >; inspect?: InspectResolver, TypeParent, TContext>; } @@ -7906,7 +7914,12 @@ export namespace OverviewHostDataResolvers { Parent = OverviewHostData, TContext = SiemContext > = Resolver; - export type WinlogbeatResolver< + export type WinlogbeatSecurityResolver< + R = Maybe, + Parent = OverviewHostData, + TContext = SiemContext + > = Resolver; + export type WinlogbeatMwSysmonOperationalResolver< R = Maybe, Parent = OverviewHostData, TContext = SiemContext diff --git a/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts b/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts index d904219c76531c8..29035f4539be89d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/overview/elastic_adapter.test.ts @@ -143,7 +143,8 @@ describe('Siem Overview elasticsearch_adapter', () => { mockNoDataResponse.aggregations.system_module.process_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.user_count.doc_count = 0; mockNoDataResponse.aggregations.system_module.filebeat_count.doc_count = 0; - mockNoDataResponse.aggregations.winlog_count.doc_count = 0; + mockNoDataResponse.aggregations.winlog_module.security_event_count.doc_count = 0; + mockNoDataResponse.aggregations.winlog_module.mwsysmon_operational_event_count.doc_count = 0; const mockCallWithRequest = jest.fn(); mockCallWithRequest.mockResolvedValue(mockNoDataResponse); const mockFramework: FrameworkAdapter = { @@ -181,7 +182,8 @@ describe('Siem Overview elasticsearch_adapter', () => { endgameRegistry: 0, endgameSecurity: 0, filebeatSystemModule: 0, - winlogbeat: 0, + winlogbeatSecurity: 0, + winlogbeatMWSysmonOperational: 0, }); }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts b/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts index b6b56fab484025b..982b47110c5135a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts +++ b/x-pack/legacy/plugins/siem/server/lib/overview/elasticsearch_adapter.ts @@ -117,7 +117,16 @@ export class ElasticsearchOverviewAdapter implements OverviewAdapter { 'aggregations.system_module.filebeat_count.doc_count', response ), - winlogbeat: getOr(null, 'aggregations.winlog_count.doc_count', response), + winlogbeatSecurity: getOr( + null, + 'aggregations.winlog_module.security_event_count.doc_count', + response + ), + winlogbeatMWSysmonOperational: getOr( + null, + 'aggregations.winlog_module.mwsysmon_operational_event_count.doc_count', + response + ), }; } } diff --git a/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts b/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts index d2de5853879f850..6196f45029313e8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts +++ b/x-pack/legacy/plugins/siem/server/lib/overview/mock.ts @@ -137,7 +137,14 @@ export const mockResponseHost = { user_count: { doc_count: 1979 }, filebeat_count: { doc_count: 225 }, }, - winlog_count: { doc_count: 737 }, + winlog_module: { + security_event_count: { + doc_count: 523, + }, + mwsysmon_operational_event_count: { + doc_count: 214, + }, + }, }, }; @@ -160,5 +167,6 @@ export const mockResultHost = { endgameRegistry: 896, endgameSecurity: 897, filebeatSystemModule: 225, - winlogbeat: 737, + winlogbeatSecurity: 523, + winlogbeatMWSysmonOperational: 214, }; diff --git a/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts index 55af5505e7dce39..30656c011ee21db 100644 --- a/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/overview/query.dsl.ts @@ -203,12 +203,28 @@ export const buildOverviewHostQuery = ({ }, }, }, - winlog_count: { + winlog_module: { filter: { term: { 'agent.type': 'winlogbeat', }, }, + aggs: { + mwsysmon_operational_event_count: { + filter: { + term: { + 'winlog.channel': 'Microsoft-Windows-Sysmon/Operational', + }, + }, + }, + security_event_count: { + filter: { + term: { + 'winlog.channel': 'Security', + }, + }, + }, + }, }, system_module: { filter: { diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 1c0c44540781d99..842e59aedc7a6bb 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -11343,7 +11343,6 @@ "xpack.siem.overview.startedText.docsLinkText": "ドキュメンテーション", "xpack.siem.overview.startedText.siemSolutionLinkText": "SIEM ソリューション", "xpack.siem.overview.startedTitle": "はじめて使う", - "xpack.siem.overview.winlogbeatTitle": "Winlogbeat", "xpack.siem.pages.fourohfour.noContentFoundDescription": "コンテンツがありません", "xpack.siem.paginatedTable.rowsButtonLabel": "ページごとの行数", "xpack.siem.paginatedTable.showingSubtitle": "表示中", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 9500b1ce887a6d4..07cd663d12bbb85 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -11342,7 +11342,6 @@ "xpack.siem.overview.startedText.docsLinkText": "文档", "xpack.siem.overview.startedText.siemSolutionLinkText": "SIEM 解决方案", "xpack.siem.overview.startedTitle": "入门", - "xpack.siem.overview.winlogbeatTitle": "Winlogbeat", "xpack.siem.pages.fourohfour.noContentFoundDescription": "未找到任何内容", "xpack.siem.paginatedTable.rowsButtonLabel": "每页行数", "xpack.siem.paginatedTable.showingSubtitle": "显示", diff --git a/x-pack/test/api_integration/apis/siem/overview_host.ts b/x-pack/test/api_integration/apis/siem/overview_host.ts index f23d9047f97e955..d32eeaec884fa91 100644 --- a/x-pack/test/api_integration/apis/siem/overview_host.ts +++ b/x-pack/test/api_integration/apis/siem/overview_host.ts @@ -35,7 +35,8 @@ export default function({ getService }: FtrProviderContext) { endgameRegistry: 1, endgameSecurity: 4, filebeatSystemModule: 0, - winlogbeat: 1, + winlogbeatSecurity: 0, + winlogbeatMWSysmonOperational: 0, __typename: 'OverviewHostData', }; From ac0953e08b4cc6225965dff010c5d38e68ea3be4 Mon Sep 17 00:00:00 2001 From: Matthias Wilhelm Date: Fri, 24 Jan 2020 06:23:53 +0100 Subject: [PATCH 02/10] [Discover] Change default sort handling for index patterns without timefield (#54427) Default sort is no longer in state. There's now a separate function to provide default sort for ES and UI, in case the user didn't actively select a field to sort by --- .../__tests__/doc_table/lib/get_sort.js | 39 +++++++++---------- .../discover/np_ready/angular/discover.js | 20 ++++++---- .../doc_table/components/table_header.ts | 1 + .../components/table_header/helpers.tsx | 2 +- .../table_header/table_header.test.tsx | 1 + .../components/table_header/table_header.tsx | 7 +++- .../table_header/table_header_column.tsx | 2 +- .../angular/doc_table/lib/get_default_sort.ts | 37 ++++++++++++++++++ .../angular/doc_table/lib/get_sort.js | 13 +++---- .../lib/get_sort_for_search_source.ts | 18 ++++++--- .../np_ready/embeddable/search_embeddable.ts | 6 ++- .../functional/apps/discover/_shared_links.js | 2 +- 12 files changed, 103 insertions(+), 45 deletions(-) create mode 100644 src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_default_sort.ts diff --git a/src/legacy/core_plugins/kibana/public/discover/__tests__/doc_table/lib/get_sort.js b/src/legacy/core_plugins/kibana/public/discover/__tests__/doc_table/lib/get_sort.js index d9fdcc48608d224..d5485bca33cf503 100644 --- a/src/legacy/core_plugins/kibana/public/discover/__tests__/doc_table/lib/get_sort.js +++ b/src/legacy/core_plugins/kibana/public/discover/__tests__/doc_table/lib/get_sort.js @@ -23,7 +23,6 @@ import ngMock from 'ng_mock'; import { getSort } from '../../../np_ready/angular/doc_table/lib/get_sort'; import FixturesStubbedLogstashIndexPatternProvider from 'fixtures/stubbed_logstash_index_pattern'; -const defaultSort = [{ time: 'desc' }]; let indexPattern; describe('docTable', function() { @@ -51,26 +50,26 @@ describe('docTable', function() { expect(getSort([{ bytes: 'desc' }], indexPattern)).to.eql([{ bytes: 'desc' }]); }); - it('should sort by the default when passed an unsortable field', function() { - expect(getSort(['non-sortable', 'asc'], indexPattern)).to.eql(defaultSort); - expect(getSort(['lol_nope', 'asc'], indexPattern)).to.eql(defaultSort); + it('should return an empty array when passed an unsortable field', function() { + expect(getSort(['non-sortable', 'asc'], indexPattern)).to.eql([]); + expect(getSort(['lol_nope', 'asc'], indexPattern)).to.eql([]); delete indexPattern.timeFieldName; - expect(getSort(['non-sortable', 'asc'], indexPattern)).to.eql([{ _score: 'desc' }]); + expect(getSort(['non-sortable', 'asc'], indexPattern)).to.eql([]); }); - it('should sort in reverse chrono order otherwise on time based patterns', function() { - expect(getSort([], indexPattern)).to.eql(defaultSort); - expect(getSort(['foo'], indexPattern)).to.eql(defaultSort); - expect(getSort({ foo: 'bar' }, indexPattern)).to.eql(defaultSort); + it('should return an empty array ', function() { + expect(getSort([], indexPattern)).to.eql([]); + expect(getSort(['foo'], indexPattern)).to.eql([]); + expect(getSort({ foo: 'bar' }, indexPattern)).to.eql([]); }); - it('should sort by score on non-time patterns', function() { + it('should return an empty array on non-time patterns', function() { delete indexPattern.timeFieldName; - expect(getSort([], indexPattern)).to.eql([{ _score: 'desc' }]); - expect(getSort(['foo'], indexPattern)).to.eql([{ _score: 'desc' }]); - expect(getSort({ foo: 'bar' }, indexPattern)).to.eql([{ _score: 'desc' }]); + expect(getSort([], indexPattern)).to.eql([]); + expect(getSort(['foo'], indexPattern)).to.eql([]); + expect(getSort({ foo: 'bar' }, indexPattern)).to.eql([]); }); }); @@ -87,19 +86,19 @@ describe('docTable', function() { expect(getSort.array([{ bytes: 'desc' }], indexPattern)).to.eql([['bytes', 'desc']]); }); - it('should sort by the default when passed an unsortable field', function() { - expect(getSort.array([{ 'non-sortable': 'asc' }], indexPattern)).to.eql([['time', 'desc']]); - expect(getSort.array([{ lol_nope: 'asc' }], indexPattern)).to.eql([['time', 'desc']]); + it('should sort by an empty array when an unsortable field is given', function() { + expect(getSort.array([{ 'non-sortable': 'asc' }], indexPattern)).to.eql([]); + expect(getSort.array([{ lol_nope: 'asc' }], indexPattern)).to.eql([]); delete indexPattern.timeFieldName; - expect(getSort.array([{ 'non-sortable': 'asc' }], indexPattern)).to.eql([['_score', 'desc']]); + expect(getSort.array([{ 'non-sortable': 'asc' }], indexPattern)).to.eql([]); }); - it('should sort by the default when passed an empty sort', () => { - expect(getSort.array([], indexPattern)).to.eql([['time', 'desc']]); + it('should return an empty array when passed an empty sort array', () => { + expect(getSort.array([], indexPattern)).to.eql([]); delete indexPattern.timeFieldName; - expect(getSort.array([], indexPattern)).to.eql([['_score', 'desc']]); + expect(getSort.array([], indexPattern)).to.eql([]); }); }); }); diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js index cde0b5d27bdc54c..7924307d007cb9e 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js @@ -486,7 +486,14 @@ function discoverController( const { searchFields, selectFields } = await getSharingDataFields(); searchSource.setField('fields', searchFields); - searchSource.setField('sort', getSortForSearchSource($state.sort, $scope.indexPattern)); + searchSource.setField( + 'sort', + getSortForSearchSource( + $state.sort, + $scope.indexPattern, + config.get('discover:sort:defaultOrder') + ) + ); searchSource.setField('highlight', null); searchSource.setField('highlightAll', null); searchSource.setField('aggs', null); @@ -517,11 +524,7 @@ function discoverController( language: localStorage.get('kibana.userQueryLanguage') || config.get('search:queryLanguage'), }, - sort: getSort.array( - savedSearch.sort, - $scope.indexPattern, - config.get('discover:sort:defaultOrder') - ), + sort: getSort.array(savedSearch.sort, $scope.indexPattern), columns: savedSearch.columns.length > 0 ? savedSearch.columns : config.get('defaultColumns').slice(), index: $scope.indexPattern.id, @@ -934,7 +937,10 @@ function discoverController( const { indexPattern, searchSource } = $scope; searchSource .setField('size', $scope.opts.sampleSize) - .setField('sort', getSortForSearchSource($state.sort, indexPattern)) + .setField( + 'sort', + getSortForSearchSource($state.sort, indexPattern, config.get('discover:sort:defaultOrder')) + ) .setField('query', !$state.query ? null : $state.query) .setField('filter', filterManager.getFilters()); }); diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header.ts b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header.ts index a5cb9180333a4af..32174984c1dfb4f 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header.ts +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header.ts @@ -37,6 +37,7 @@ export function createTableHeaderDirective(reactDirective: any, config: IUiSetti { hideTimeColumn: config.get('doc_table:hideTimeColumn'), isShortDots: config.get('shortDots:enable'), + defaultSortOrder: config.get('discover:sort:defaultOrder'), } ); } diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/helpers.tsx b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/helpers.tsx index 13833d724967a0a..990ace32e644912 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/helpers.tsx +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/helpers.tsx @@ -20,7 +20,7 @@ import { IndexPattern } from '../../../../../kibana_services'; // @ts-ignore import { shortenDottedString } from '../../../../../../../common/utils/shorten_dotted_string'; -export type SortOrder = [string, 'asc' | 'desc']; +export type SortOrder = [string, string]; export interface ColumnProps { name: string; displayName: string; diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.test.tsx b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.test.tsx index ef3d4ecc4b18fce..b201bea26503ea7 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.test.tsx +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.test.tsx @@ -59,6 +59,7 @@ function getMockProps(props = {}) { indexPattern: getMockIndexPattern(), hideTimeColumn: false, columns: ['first', 'middle', 'last'], + defaultSortOrder: 'desc', sortOrder: [['time', 'asc']] as SortOrder[], isShortDots: true, onRemoveColumn: jest.fn(), diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.tsx b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.tsx index 17b961dbe68326e..2ca53d5a34b0397 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.tsx +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/components/table_header/table_header.tsx @@ -21,9 +21,11 @@ import { IndexPattern } from '../../../../../kibana_services'; // @ts-ignore import { TableHeaderColumn } from './table_header_column'; import { SortOrder, getDisplayedColumns } from './helpers'; +import { getDefaultSort } from '../../lib/get_default_sort'; interface Props { columns: string[]; + defaultSortOrder: string; hideTimeColumn: boolean; indexPattern: IndexPattern; isShortDots: boolean; @@ -35,6 +37,7 @@ interface Props { export function TableHeader({ columns, + defaultSortOrder, hideTimeColumn, indexPattern, isShortDots, @@ -53,7 +56,9 @@ export function TableHeader({ = { desc: 'fa fa-sort-down', asc: 'fa fa-sort-up', '': 'fa fa-sort', diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_default_sort.ts b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_default_sort.ts new file mode 100644 index 000000000000000..634e3cfec3a0bd8 --- /dev/null +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_default_sort.ts @@ -0,0 +1,37 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +import { IndexPattern } from '../../../../kibana_services'; +// @ts-ignore +import { isSortable } from './get_sort'; +import { SortOrder } from '../components/table_header/helpers'; + +/** + * use in case the user didn't manually sort. + * the default sort is returned depending of the index pattern + */ +export function getDefaultSort( + indexPattern: IndexPattern, + defaultSortOrder: string = 'desc' +): SortOrder[] { + if (indexPattern.timeFieldName && isSortable(indexPattern.timeFieldName, indexPattern)) { + return [[indexPattern.timeFieldName, defaultSortOrder]]; + } else { + return [['_score', defaultSortOrder]]; + } +} diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort.js b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort.js index 0da53f088e76263..ce32fdaeda23755 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort.js +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort.js @@ -19,7 +19,7 @@ import _ from 'lodash'; -function isSortable(field, indexPattern) { +export function isSortable(field, indexPattern) { return indexPattern.fields.getByName(field) && indexPattern.fields.getByName(field).sortable; } @@ -41,7 +41,7 @@ function createSortObject(sortPair, indexPattern) { * @param {object} indexPattern used for determining default sort * @returns {object} a sort object suitable for returning to elasticsearch */ -export function getSort(sort, indexPattern, defaultSortOrder = 'desc') { +export function getSort(sort, indexPattern) { let sortObjects; if (Array.isArray(sort)) { sortObjects = _.compact(sort.map(sortPair => createSortObject(sortPair, indexPattern))); @@ -49,15 +49,12 @@ export function getSort(sort, indexPattern, defaultSortOrder = 'desc') { if (!_.isEmpty(sortObjects)) { return sortObjects; - } else if (indexPattern.timeFieldName && isSortable(indexPattern.timeFieldName, indexPattern)) { - return [{ [indexPattern.timeFieldName]: defaultSortOrder }]; - } else { - return [{ _score: 'desc' }]; } + return []; } -getSort.array = function(sort, indexPattern, defaultSortOrder) { - return getSort(sort, indexPattern, defaultSortOrder).map(sortPair => +getSort.array = function(sort, indexPattern) { + return getSort(sort, indexPattern).map(sortPair => _(sortPair) .pairs() .pop() diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort_for_search_source.ts b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort_for_search_source.ts index 26bba4589cf6a53..62a44d30adfd55e 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort_for_search_source.ts +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/doc_table/lib/get_sort_for_search_source.ts @@ -19,16 +19,24 @@ import { IndexPattern } from '../../../../kibana_services'; import { SortOrder } from '../components/table_header/helpers'; import { getSort } from './get_sort'; +import { getDefaultSort } from './get_default_sort'; /** - * prepares sort for search source, that's sending the request to ES - * handles the special case when there's sorting by date_nanos typed fields - * the addon of the numeric_type guarantees the right sort order - * when there are indices with date and indices with date_nanos field + * Prepares sort for search source, that's sending the request to ES + * - Adds default sort if necessary + * - Handles the special case when there's sorting by date_nanos typed fields + * the addon of the numeric_type guarantees the right sort order + * when there are indices with date and indices with date_nanos field */ -export function getSortForSearchSource(sort?: SortOrder[], indexPattern?: IndexPattern) { +export function getSortForSearchSource( + sort?: SortOrder[], + indexPattern?: IndexPattern, + defaultDirection: 'asc' | 'desc' = 'desc' +) { if (!sort || !indexPattern) { return []; + } else if (Array.isArray(sort) && sort.length === 0) { + sort = getDefaultSort(indexPattern, defaultDirection); } const { timeFieldName } = indexPattern; return getSort(sort, indexPattern).map((sortPair: Record) => { diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts b/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts index 3aa8dea816694ff..c840f1fbd87ed1e 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts @@ -266,7 +266,11 @@ export class SearchEmbeddable extends Embeddable searchSource.setField('size', getServices().uiSettings.get('discover:sampleSize')); searchSource.setField( 'sort', - getSortForSearchSource(this.searchScope.sort, this.searchScope.indexPattern) + getSortForSearchSource( + this.searchScope.sort, + this.searchScope.indexPattern, + getServices().uiSettings.get('discover:sort:defaultOrder') + ) ); // Log request to inspector diff --git a/test/functional/apps/discover/_shared_links.js b/test/functional/apps/discover/_shared_links.js index 291e46e308ee941..d7160a39679b701 100644 --- a/test/functional/apps/discover/_shared_links.js +++ b/test/functional/apps/discover/_shared_links.js @@ -88,7 +88,7 @@ export default function({ getService, getPageObjects }) { ":(from:'2015-09-19T06:31:44.000Z',to:'2015-09" + "-23T18:31:44.000Z'))&_a=(columns:!(_source),index:'logstash-" + "*',interval:auto,query:(language:kuery,query:'')" + - ",sort:!(!('@timestamp',desc)))"; + ',sort:!())'; const actualUrl = await PageObjects.share.getSharedUrl(); // strip the timestamp out of each URL expect(actualUrl.replace(/_t=\d{13}/, '_t=TIMESTAMP')).to.be( From e67cc8514aa7aeb2e5a54bc1af2a61da19470fe3 Mon Sep 17 00:00:00 2001 From: spalger Date: Thu, 23 Jan 2020 23:32:10 -0700 Subject: [PATCH 03/10] Revert "[csp] allow blob styles when running from source (#54991)" This reverts commit 375f0b42a7b449cc5d0b73f15595f40de8fa998b. --- ...lugin-server.coresetup.getstartservices.md | 34 +++++----- .../server/kibana-plugin-server.coresetup.md | 64 +++++++++---------- ...kibana-plugin-server.cspconfig.default.md} | 6 +- .../server/kibana-plugin-server.cspconfig.md | 2 +- .../server/kibana-plugin-server.icspconfig.md | 1 - ...rver.icspconfig.ruleschangedfromdefault.md | 13 ---- .../src/kbn_client/kbn_client_status.ts | 6 -- packages/kbn-pm/dist/index.js | 4 -- src/core/server/config/env.mock.ts | 29 --------- src/core/server/csp/csp_config.test.ts | 47 ++++++-------- src/core/server/csp/csp_config.ts | 31 ++------- src/core/server/http/http_config.ts | 5 +- src/core/server/http/http_service.mock.ts | 3 +- src/core/server/http/http_service.ts | 2 +- src/core/server/http/http_tools.test.ts | 7 +- src/core/server/legacy/legacy_service.ts | 4 +- src/core/server/mocks.ts | 3 +- src/core/server/server.api.md | 7 +- .../csp_usage_collector/csp_collector.test.ts | 6 +- .../lib/csp_usage_collector/csp_collector.ts | 9 +-- .../status/routes/api/register_status.js | 3 - test/api_integration/apis/general/csp.js | 4 +- .../apis/implicit_flow/oidc_auth.ts | 8 +-- .../apis/security/saml_login.ts | 8 +-- x-pack/test/saml_api_integration/config.ts | 1 - 25 files changed, 96 insertions(+), 211 deletions(-) rename docs/development/core/server/{kibana-plugin-server.cspconfig.ruleschangedfromdefault.md => kibana-plugin-server.cspconfig.default.md} (56%) delete mode 100644 docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md delete mode 100644 src/core/server/config/env.mock.ts diff --git a/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md b/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md index 589529cf2a7f794..b05d28899f9d235 100644 --- a/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md +++ b/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md @@ -1,17 +1,17 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) > [getStartServices](./kibana-plugin-server.coresetup.getstartservices.md) - -## CoreSetup.getStartServices() method - -Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed `start`. This should only be used inside handlers registered during `setup` that will only be executed after `start` lifecycle. - -Signature: - -```typescript -getStartServices(): Promise<[CoreStart, TPluginsStart]>; -``` -Returns: - -`Promise<[CoreStart, TPluginsStart]>` - + + +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) > [getStartServices](./kibana-plugin-server.coresetup.getstartservices.md) + +## CoreSetup.getStartServices() method + +Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed `start`. This should only be used inside handlers registered during `setup` that will only be executed after `start` lifecycle. + +Signature: + +```typescript +getStartServices(): Promise<[CoreStart, TPluginsStart]>; +``` +Returns: + +`Promise<[CoreStart, TPluginsStart]>` + diff --git a/docs/development/core/server/kibana-plugin-server.coresetup.md b/docs/development/core/server/kibana-plugin-server.coresetup.md index 325f7216122b587..c36d649837e8a84 100644 --- a/docs/development/core/server/kibana-plugin-server.coresetup.md +++ b/docs/development/core/server/kibana-plugin-server.coresetup.md @@ -1,32 +1,32 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) - -## CoreSetup interface - -Context passed to the plugins `setup` method. - -Signature: - -```typescript -export interface CoreSetup -``` - -## Properties - -| Property | Type | Description | -| --- | --- | --- | -| [capabilities](./kibana-plugin-server.coresetup.capabilities.md) | CapabilitiesSetup | [CapabilitiesSetup](./kibana-plugin-server.capabilitiessetup.md) | -| [context](./kibana-plugin-server.coresetup.context.md) | ContextSetup | [ContextSetup](./kibana-plugin-server.contextsetup.md) | -| [elasticsearch](./kibana-plugin-server.coresetup.elasticsearch.md) | ElasticsearchServiceSetup | [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) | -| [http](./kibana-plugin-server.coresetup.http.md) | HttpServiceSetup | [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | -| [savedObjects](./kibana-plugin-server.coresetup.savedobjects.md) | SavedObjectsServiceSetup | [SavedObjectsServiceSetup](./kibana-plugin-server.savedobjectsservicesetup.md) | -| [uiSettings](./kibana-plugin-server.coresetup.uisettings.md) | UiSettingsServiceSetup | [UiSettingsServiceSetup](./kibana-plugin-server.uisettingsservicesetup.md) | -| [uuid](./kibana-plugin-server.coresetup.uuid.md) | UuidServiceSetup | [UuidServiceSetup](./kibana-plugin-server.uuidservicesetup.md) | - -## Methods - -| Method | Description | -| --- | --- | -| [getStartServices()](./kibana-plugin-server.coresetup.getstartservices.md) | Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed start. This should only be used inside handlers registered during setup that will only be executed after start lifecycle. | - + + +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) + +## CoreSetup interface + +Context passed to the plugins `setup` method. + +Signature: + +```typescript +export interface CoreSetup +``` + +## Properties + +| Property | Type | Description | +| --- | --- | --- | +| [capabilities](./kibana-plugin-server.coresetup.capabilities.md) | CapabilitiesSetup | [CapabilitiesSetup](./kibana-plugin-server.capabilitiessetup.md) | +| [context](./kibana-plugin-server.coresetup.context.md) | ContextSetup | [ContextSetup](./kibana-plugin-server.contextsetup.md) | +| [elasticsearch](./kibana-plugin-server.coresetup.elasticsearch.md) | ElasticsearchServiceSetup | [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) | +| [http](./kibana-plugin-server.coresetup.http.md) | HttpServiceSetup | [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | +| [savedObjects](./kibana-plugin-server.coresetup.savedobjects.md) | SavedObjectsServiceSetup | [SavedObjectsServiceSetup](./kibana-plugin-server.savedobjectsservicesetup.md) | +| [uiSettings](./kibana-plugin-server.coresetup.uisettings.md) | UiSettingsServiceSetup | [UiSettingsServiceSetup](./kibana-plugin-server.uisettingsservicesetup.md) | +| [uuid](./kibana-plugin-server.coresetup.uuid.md) | UuidServiceSetup | [UuidServiceSetup](./kibana-plugin-server.uuidservicesetup.md) | + +## Methods + +| Method | Description | +| --- | --- | +| [getStartServices()](./kibana-plugin-server.coresetup.getstartservices.md) | Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed start. This should only be used inside handlers registered during setup that will only be executed after start lifecycle. | + diff --git a/docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md b/docs/development/core/server/kibana-plugin-server.cspconfig.default.md similarity index 56% rename from docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md rename to docs/development/core/server/kibana-plugin-server.cspconfig.default.md index 3320785935b2120..56e6cf35cdd1368 100644 --- a/docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md +++ b/docs/development/core/server/kibana-plugin-server.cspconfig.default.md @@ -1,11 +1,11 @@ -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CspConfig](./kibana-plugin-server.cspconfig.md) > [rulesChangedFromDefault](./kibana-plugin-server.cspconfig.ruleschangedfromdefault.md) +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CspConfig](./kibana-plugin-server.cspconfig.md) > [DEFAULT](./kibana-plugin-server.cspconfig.default.md) -## CspConfig.rulesChangedFromDefault property +## CspConfig.DEFAULT property Signature: ```typescript -readonly rulesChangedFromDefault: boolean; +static readonly DEFAULT: CspConfig; ``` diff --git a/docs/development/core/server/kibana-plugin-server.cspconfig.md b/docs/development/core/server/kibana-plugin-server.cspconfig.md index 6f12d64676ce966..7e491cb0df9120d 100644 --- a/docs/development/core/server/kibana-plugin-server.cspconfig.md +++ b/docs/development/core/server/kibana-plugin-server.cspconfig.md @@ -20,9 +20,9 @@ The constructor for this class is marked as internal. Third-party code should no | Property | Modifiers | Type | Description | | --- | --- | --- | --- | +| [DEFAULT](./kibana-plugin-server.cspconfig.default.md) | static | CspConfig | | | [header](./kibana-plugin-server.cspconfig.header.md) | | string | | | [rules](./kibana-plugin-server.cspconfig.rules.md) | | string[] | | -| [rulesChangedFromDefault](./kibana-plugin-server.cspconfig.ruleschangedfromdefault.md) | | boolean | | | [strict](./kibana-plugin-server.cspconfig.strict.md) | | boolean | | | [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md) | | boolean | | diff --git a/docs/development/core/server/kibana-plugin-server.icspconfig.md b/docs/development/core/server/kibana-plugin-server.icspconfig.md index 00107d561873fed..fb8188386a37669 100644 --- a/docs/development/core/server/kibana-plugin-server.icspconfig.md +++ b/docs/development/core/server/kibana-plugin-server.icspconfig.md @@ -18,7 +18,6 @@ export interface ICspConfig | --- | --- | --- | | [header](./kibana-plugin-server.icspconfig.header.md) | string | The CSP rules in a formatted directives string for use in a Content-Security-Policy header. | | [rules](./kibana-plugin-server.icspconfig.rules.md) | string[] | The CSP rules used for Kibana. | -| [rulesChangedFromDefault](./kibana-plugin-server.icspconfig.ruleschangedfromdefault.md) | boolean | Flag indicating that the configuraion changes the csp rules from the defaults | | [strict](./kibana-plugin-server.icspconfig.strict.md) | boolean | Specify whether browsers that do not support CSP should be able to use Kibana. Use true to block and false to allow. | | [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md) | boolean | Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance. | diff --git a/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md b/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md deleted file mode 100644 index 427c07d2d1e4d12..000000000000000 --- a/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [ICspConfig](./kibana-plugin-server.icspconfig.md) > [rulesChangedFromDefault](./kibana-plugin-server.icspconfig.ruleschangedfromdefault.md) - -## ICspConfig.rulesChangedFromDefault property - -Flag indicating that the configuraion changes the csp rules from the defaults - -Signature: - -```typescript -readonly rulesChangedFromDefault: boolean; -``` diff --git a/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts b/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts index 3775aecb2db0953..22baf4a33041681 100644 --- a/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts +++ b/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts @@ -32,7 +32,6 @@ interface Status { interface ApiResponseStatus { name: string; uuid: string; - running_from_source?: true; version: { number: string; build_hash: string; @@ -59,11 +58,6 @@ export class KbnClientStatus { }); } - public async isDistributable() { - const status = await this.get(); - return !status.running_from_source; - } - /** * Get the overall/merged state */ diff --git a/packages/kbn-pm/dist/index.js b/packages/kbn-pm/dist/index.js index 364b91a30841ca0..8bded9d403c215d 100644 --- a/packages/kbn-pm/dist/index.js +++ b/packages/kbn-pm/dist/index.js @@ -43639,10 +43639,6 @@ class KbnClientStatus { path: 'api/status', }); } - async isDistributable() { - const status = await this.get(); - return !status.running_from_source; - } /** * Get the overall/merged state */ diff --git a/src/core/server/config/env.mock.ts b/src/core/server/config/env.mock.ts deleted file mode 100644 index f9b4e0732c1cb6a..000000000000000 --- a/src/core/server/config/env.mock.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import { Env } from './env'; - -export function createMockEnv(options: { dist?: boolean } = {}): Env { - return { - // required by CspConfig - packageInfo: { - dist: options.dist ?? true, - }, - } as any; -} diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts index 15cddc6fccd3421..45fa8445791b07d 100644 --- a/src/core/server/csp/csp_config.test.ts +++ b/src/core/server/csp/csp_config.test.ts @@ -18,7 +18,6 @@ */ import { CspConfig } from '.'; -import { createMockEnv } from '../config/env.mock'; // CSP rules aren't strictly additive, so any change can potentially expand or // restrict the policy in a way we consider a breaking change. For that reason, @@ -34,10 +33,23 @@ import { createMockEnv } from '../config/env.mock'; // the nature of a change in defaults during a PR review. describe('CspConfig', () => { - test('defaults from config', () => { - const cspConfig = new CspConfig(createMockEnv()); + test('DEFAULT', () => { + expect(CspConfig.DEFAULT).toMatchInlineSnapshot(` + CspConfig { + "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "rules": Array [ + "script-src 'unsafe-eval' 'self'", + "worker-src blob: 'self'", + "style-src 'unsafe-inline' 'self'", + ], + "strict": true, + "warnLegacyBrowsers": true, + } + `); + }); - expect(cspConfig).toMatchInlineSnapshot(` + test('defaults from config', () => { + expect(new CspConfig()).toMatchInlineSnapshot(` CspConfig { "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "rules": Array [ @@ -45,7 +57,6 @@ describe('CspConfig', () => { "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'", ], - "rulesChangedFromDefault": false, "strict": true, "warnLegacyBrowsers": true, } @@ -53,9 +64,7 @@ describe('CspConfig', () => { }); test('creates from partial config', () => { - const cspConfig = new CspConfig(createMockEnv(), { strict: false, warnLegacyBrowsers: false }); - - expect(cspConfig).toMatchInlineSnapshot(` + expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(` CspConfig { "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "rules": Array [ @@ -63,7 +72,6 @@ describe('CspConfig', () => { "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'", ], - "rulesChangedFromDefault": false, "strict": false, "warnLegacyBrowsers": false, } @@ -71,7 +79,7 @@ describe('CspConfig', () => { }); test('computes header from rules', () => { - const cspConfig = new CspConfig(createMockEnv(), { rules: ['alpha', 'beta', 'gamma'] }); + const cspConfig = new CspConfig({ rules: ['alpha', 'beta', 'gamma'] }); expect(cspConfig).toMatchInlineSnapshot(` CspConfig { @@ -81,25 +89,6 @@ describe('CspConfig', () => { "beta", "gamma", ], - "rulesChangedFromDefault": true, - "strict": true, - "warnLegacyBrowsers": true, - } - `); - }); - - test(`includes blob: style-src if env indicates we're running from source`, () => { - const cspConfig = new CspConfig(createMockEnv({ dist: false })); - - expect(cspConfig).toMatchInlineSnapshot(` - CspConfig { - "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src blob: 'unsafe-inline' 'self'", - "rules": Array [ - "script-src 'unsafe-eval' 'self'", - "worker-src blob: 'self'", - "style-src blob: 'unsafe-inline' 'self'", - ], - "rulesChangedFromDefault": false, "strict": true, "warnLegacyBrowsers": true, } diff --git a/src/core/server/csp/csp_config.ts b/src/core/server/csp/csp_config.ts index 592a7209f43642f..bb57702a4a2414b 100644 --- a/src/core/server/csp/csp_config.ts +++ b/src/core/server/csp/csp_config.ts @@ -18,7 +18,6 @@ */ import { config } from './config'; -import { Env } from '../config'; const DEFAULT_CONFIG = Object.freeze(config.schema.validate({})); @@ -49,12 +48,6 @@ export interface ICspConfig { * in a `Content-Security-Policy` header. */ readonly header: string; - - /** - * Flag indicating that the configuraion changes the csp - * rules from the defaults - */ - readonly rulesChangedFromDefault: boolean; } /** @@ -62,37 +55,23 @@ export interface ICspConfig { * @public */ export class CspConfig implements ICspConfig { + static readonly DEFAULT = new CspConfig(); + public readonly rules: string[]; public readonly strict: boolean; public readonly warnLegacyBrowsers: boolean; public readonly header: string; - public readonly rulesChangedFromDefault: boolean; /** * Returns the default CSP configuration when passed with no config * @internal */ - constructor(env: Env, rawCspConfig?: Partial>) { + constructor(rawCspConfig: Partial> = {}) { const source = { ...DEFAULT_CONFIG, ...rawCspConfig }; - this.rules = source.rules.map(rule => { - // if we receive an env, and it indicates that this isn't a distributable, add `blob:` to the style csp rules - if (env && !env.packageInfo.dist && rule.startsWith('style-src ')) { - return rule.replace(/^style-src /, 'style-src blob: '); - } - - return rule; - }); + this.rules = source.rules; this.strict = source.strict; this.warnLegacyBrowsers = source.warnLegacyBrowsers; - this.header = this.rules.join('; '); - - // only check to see if the csp values are customized when `rawCspConfig` was received. - if (!rawCspConfig) { - this.rulesChangedFromDefault = false; - } else { - const defaultCsp = new CspConfig(env); - this.rulesChangedFromDefault = defaultCsp.header !== this.header; - } + this.header = source.rules.join('; '); } } diff --git a/src/core/server/http/http_config.ts b/src/core/server/http/http_config.ts index b249dbb5b6a0424..73f44f3c5ab5ce8 100644 --- a/src/core/server/http/http_config.ts +++ b/src/core/server/http/http_config.ts @@ -22,7 +22,6 @@ import { hostname } from 'os'; import { CspConfigType, CspConfig, ICspConfig } from '../csp'; import { SslConfig, sslSchema } from './ssl_config'; -import { Env } from '../config'; const validBasePathRegex = /(^$|^\/.*[^\/]$)/; const uuidRegexp = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i; @@ -149,7 +148,7 @@ export class HttpConfig { /** * @internal */ - constructor(rawHttpConfig: HttpConfigType, rawCspConfig: CspConfigType, env: Env) { + constructor(rawHttpConfig: HttpConfigType, rawCspConfig: CspConfigType) { this.autoListen = rawHttpConfig.autoListen; this.host = rawHttpConfig.host; this.port = rawHttpConfig.port; @@ -163,7 +162,7 @@ export class HttpConfig { this.rewriteBasePath = rawHttpConfig.rewriteBasePath; this.ssl = new SslConfig(rawHttpConfig.ssl || {}); this.compression = rawHttpConfig.compression; - this.csp = new CspConfig(env, rawCspConfig); + this.csp = new CspConfig(rawCspConfig); this.xsrf = rawHttpConfig.xsrf; } } diff --git a/src/core/server/http/http_service.mock.ts b/src/core/server/http/http_service.mock.ts index 7fc2f5d99082483..6db1ca80ab43707 100644 --- a/src/core/server/http/http_service.mock.ts +++ b/src/core/server/http/http_service.mock.ts @@ -21,7 +21,6 @@ import { Server } from 'hapi'; import { CspConfig } from '../csp'; import { mockRouter } from './router/router.mock'; import { configMock } from '../config/config.mock'; -import { createMockEnv } from '../config/env.mock'; import { InternalHttpServiceSetup } from './types'; import { HttpService } from './http_service'; import { OnPreAuthToolkit } from './lifecycle/on_pre_auth'; @@ -62,7 +61,7 @@ const createSetupContractMock = () => { registerOnPreResponse: jest.fn(), createRouter: jest.fn().mockImplementation(() => mockRouter.create({})), basePath: createBasePathMock(), - csp: new CspConfig(createMockEnv()), + csp: CspConfig.DEFAULT, auth: { get: jest.fn(), isAuthenticated: jest.fn(), diff --git a/src/core/server/http/http_service.ts b/src/core/server/http/http_service.ts index 8a86667a1a6bc15..ae9d53f9fd3db21 100644 --- a/src/core/server/http/http_service.ts +++ b/src/core/server/http/http_service.ts @@ -70,7 +70,7 @@ export class HttpService implements CoreService(httpConfig.path), configService.atPath(cspConfig.path), - ]).pipe(map(([http, csp]) => new HttpConfig(http, csp, env))); + ]).pipe(map(([http, csp]) => new HttpConfig(http, csp))); this.httpServer = new HttpServer(logger, 'Kibana'); this.httpsRedirectServer = new HttpsRedirectServer(logger.get('http', 'redirect', 'server')); } diff --git a/src/core/server/http/http_tools.test.ts b/src/core/server/http/http_tools.test.ts index d552339f1ea1c87..c1322a5aa94dbdd 100644 --- a/src/core/server/http/http_tools.test.ts +++ b/src/core/server/http/http_tools.test.ts @@ -29,7 +29,6 @@ import { defaultValidationErrorHandler, HapiValidationError, getServerOptions } import { HttpServer } from './http_server'; import { HttpConfig, config } from './http_config'; import { Router } from './router'; -import { createMockEnv } from '../config/env.mock'; import { loggingServiceMock } from '../logging/logging_service.mock'; import { ByteSizeValue } from '@kbn/config-schema'; @@ -121,8 +120,7 @@ describe('getServerOptions', () => { certificate: 'some-certificate-path', }, }), - {} as any, - createMockEnv() + {} as any ); expect(getServerOptions(httpConfig).tls).toMatchInlineSnapshot(` @@ -151,8 +149,7 @@ describe('getServerOptions', () => { clientAuthentication: 'required', }, }), - {} as any, - createMockEnv() + {} as any ); expect(getServerOptions(httpConfig).tls).toMatchInlineSnapshot(` diff --git a/src/core/server/legacy/legacy_service.ts b/src/core/server/legacy/legacy_service.ts index ca1204f0ac05ced..0cb717e3832aac7 100644 --- a/src/core/server/legacy/legacy_service.ts +++ b/src/core/server/legacy/legacy_service.ts @@ -86,7 +86,7 @@ export class LegacyService implements CoreService { public legacyInternals?: ILegacyInternals; constructor(private readonly coreContext: CoreContext) { - const { logger, configService, env } = coreContext; + const { logger, configService } = coreContext; this.log = logger.get('legacy-service'); this.devConfig$ = configService @@ -95,7 +95,7 @@ export class LegacyService implements CoreService { this.httpConfig$ = combineLatest( configService.atPath(httpConfig.path), configService.atPath(cspConfig.path) - ).pipe(map(([http, csp]) => new HttpConfig(http, csp, env))); + ).pipe(map(([http, csp]) => new HttpConfig(http, csp))); } public async discoverPlugins(): Promise { diff --git a/src/core/server/mocks.ts b/src/core/server/mocks.ts index 846c2e4d8c50729..c0a8973d98a548e 100644 --- a/src/core/server/mocks.ts +++ b/src/core/server/mocks.ts @@ -33,7 +33,6 @@ import { capabilitiesServiceMock } from './capabilities/capabilities_service.moc export { httpServerMock } from './http/http_server.mocks'; export { sessionStorageMock } from './http/cookie_session_storage.mocks'; export { configServiceMock } from './config/config_service.mock'; -import { createMockEnv } from './config/env.mock'; export { elasticsearchServiceMock } from './elasticsearch/elasticsearch_service.mock'; export { httpServiceMock } from './http/http_service.mock'; export { loggingServiceMock } from './logging/logging_service.mock'; @@ -98,7 +97,7 @@ function createCoreSetupMock() { registerOnPostAuth: httpService.registerOnPostAuth, registerOnPreResponse: httpService.registerOnPreResponse, basePath: httpService.basePath, - csp: new CspConfig(createMockEnv()), + csp: CspConfig.DEFAULT, isTlsEnabled: httpService.isTlsEnabled, createRouter: jest.fn(), registerRouteHandlerContext: jest.fn(), diff --git a/src/core/server/server.api.md b/src/core/server/server.api.md index 629e6a881199be0..a179e1f35a937f4 100644 --- a/src/core/server/server.api.md +++ b/src/core/server/server.api.md @@ -583,14 +583,14 @@ export interface CoreStart { // @public export class CspConfig implements ICspConfig { // @internal - constructor(env: Env, rawCspConfig?: Partial>); + constructor(rawCspConfig?: Partial>); + // (undocumented) + static readonly DEFAULT: CspConfig; // (undocumented) readonly header: string; // (undocumented) readonly rules: string[]; // (undocumented) - readonly rulesChangedFromDefault: boolean; - // (undocumented) readonly strict: boolean; // (undocumented) readonly warnLegacyBrowsers: boolean; @@ -774,7 +774,6 @@ export type IContextProvider, TContextName export interface ICspConfig { readonly header: string; readonly rules: string[]; - readonly rulesChangedFromDefault: boolean; readonly strict: boolean; readonly warnLegacyBrowsers: boolean; } diff --git a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts index 584621a1ce13fb1..395cb6058783286 100644 --- a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts +++ b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts @@ -18,8 +18,6 @@ */ import { CspConfig, ICspConfig } from '../../../../../../core/server'; -// eslint-disable-next-line @kbn/eslint/no-restricted-paths -import { createMockEnv } from '../../../../../../core/server/config/env.mock'; import { createCspCollector } from './csp_collector'; const createMockKbnServer = () => ({ @@ -27,7 +25,7 @@ const createMockKbnServer = () => ({ setup: { core: { http: { - csp: new CspConfig(createMockEnv()), + csp: new CspConfig(), }, }, }, @@ -38,7 +36,7 @@ describe('csp collector', () => { let kbnServer: ReturnType; function updateCsp(config: Partial) { - kbnServer.newPlatform.setup.core.http.csp = new CspConfig(createMockEnv(), config); + kbnServer.newPlatform.setup.core.http.csp = new CspConfig(config); } beforeEach(() => { diff --git a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts index dce4c7fe6fefc78..6622ed4bef478e6 100644 --- a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts +++ b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts @@ -18,6 +18,7 @@ */ import { Server } from 'hapi'; +import { CspConfig } from '../../../../../../core/server'; import { UsageCollectionSetup } from '../../../../../../plugins/usage_collection/server'; export function createCspCollector(server: Server) { @@ -25,11 +26,7 @@ export function createCspCollector(server: Server) { type: 'csp', isReady: () => true, async fetch() { - const { - strict, - warnLegacyBrowsers, - rulesChangedFromDefault, - } = server.newPlatform.setup.core.http.csp; + const { strict, warnLegacyBrowsers, header } = server.newPlatform.setup.core.http.csp; return { strict, @@ -37,7 +34,7 @@ export function createCspCollector(server: Server) { // It's important that we do not send the value of csp.header here as it // can be customized with values that can be identifiable to given // installs, such as URLs - rulesChangedFromDefault, + rulesChangedFromDefault: header !== CspConfig.DEFAULT.header, }; }, }; diff --git a/src/legacy/server/status/routes/api/register_status.js b/src/legacy/server/status/routes/api/register_status.js index 55bf81f2c5f9a83..259a00667810f88 100644 --- a/src/legacy/server/status/routes/api/register_status.js +++ b/src/legacy/server/status/routes/api/register_status.js @@ -18,7 +18,6 @@ */ import { wrapAuthConfig } from '../../wrap_auth_config'; -import { IS_KIBANA_DISTRIBUTABLE } from '../../../../utils/artifact_type'; const matchSnapshot = /-SNAPSHOT$/; @@ -36,8 +35,6 @@ export function registerStatusApi(kbnServer, server, config) { return { name: config.get('server.name'), uuid: config.get('server.uuid'), - // flag to help tests know that kibana is running from source, not included in distributable response - ...(IS_KIBANA_DISTRIBUTABLE ? {} : { running_from_source: true }), version: { number: config.get('pkg.version').replace(matchSnapshot, ''), build_hash: config.get('pkg.buildSha'), diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js index 38893c371fb52b8..8c191703070d85f 100644 --- a/test/api_integration/apis/general/csp.js +++ b/test/api_integration/apis/general/csp.js @@ -21,7 +21,6 @@ import expect from '@kbn/expect'; export default function({ getService }) { const supertest = getService('supertest'); - const kibanaServer = getService('kibanaServer'); describe('csp smoke test', () => { it('app response sends content security policy headers', async () => { @@ -37,12 +36,11 @@ export default function({ getService }) { }) ); - const isDist = await kibanaServer.status.isDistributable(); const entries = Array.from(parsed.entries()); expect(entries).to.eql([ ['script-src', ["'unsafe-eval'", "'self'"]], ['worker-src', ['blob:', "'self'"]], - ['style-src', [...(isDist ? [] : ['blob:']), "'unsafe-inline'", "'self'"]], + ['style-src', ["'unsafe-inline'", "'self'"]], ]); }); }); diff --git a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts index 87979ca643a190d..1f5a64835416aa3 100644 --- a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts +++ b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts @@ -15,7 +15,6 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); const config = getService('config'); - const kibanaServer = getService('kibanaServer'); describe('OpenID Connect Implicit Flow authentication', () => { describe('finishing handshake', () => { @@ -57,17 +56,12 @@ export default function({ getService }: FtrProviderContext) { }); await (dom.window as Record).__isScriptExecuted__; - const isDist = await kibanaServer.status.isDistributable(); // Check that proxy page is returned with proper headers. expect(response.headers['content-type']).to.be('text/html; charset=utf-8'); expect(response.headers['cache-control']).to.be('private, no-cache, no-store'); expect(response.headers['content-security-policy']).to.be( - [ - `script-src 'unsafe-eval' 'self';`, - `worker-src blob: 'self';`, - `style-src ${isDist ? '' : 'blob: '}'unsafe-inline' 'self'`, - ].join(' ') + `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); // Check that script that forwards URL fragment worked correctly. diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts index d4de4d601a36c43..0436d59906ea877 100644 --- a/x-pack/test/saml_api_integration/apis/security/saml_login.ts +++ b/x-pack/test/saml_api_integration/apis/security/saml_login.ts @@ -17,7 +17,6 @@ export default function({ getService }: FtrProviderContext) { const randomness = getService('randomness'); const supertest = getService('supertestWithoutAuth'); const config = getService('config'); - const kibanaServer = getService('kibanaServer'); const kibanaServerConfig = config.get('servers.kibana'); @@ -138,17 +137,12 @@ export default function({ getService }: FtrProviderContext) { }); await (dom.window as Record).__isScriptExecuted__; - const isDist = await kibanaServer.status.isDistributable(); // Check that proxy page is returned with proper headers. expect(response.headers['content-type']).to.be('text/html; charset=utf-8'); expect(response.headers['cache-control']).to.be('private, no-cache, no-store'); expect(response.headers['content-security-policy']).to.be( - [ - `script-src 'unsafe-eval' 'self';`, - `worker-src blob: 'self';`, - `style-src ${isDist ? '' : 'blob: '}'unsafe-inline' 'self'`, - ].join(' ') + `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); // Check that script that forwards URL fragment worked correctly. diff --git a/x-pack/test/saml_api_integration/config.ts b/x-pack/test/saml_api_integration/config.ts index 1d83f374e966c62..6ea29b0d9e56e3e 100644 --- a/x-pack/test/saml_api_integration/config.ts +++ b/x-pack/test/saml_api_integration/config.ts @@ -20,7 +20,6 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('./apis')], servers: xPackAPITestsConfig.get('servers'), services: { - kibanaServer: kibanaAPITestsConfig.get('services.kibanaServer'), randomness: kibanaAPITestsConfig.get('services.randomness'), legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), From 2f1628784ab42372b93b8cab320d26c8baa9a9d0 Mon Sep 17 00:00:00 2001 From: Mikhail Shustov Date: Fri, 24 Jan 2020 07:54:06 +0100 Subject: [PATCH 04/10] [NP] add platform main principles (#53866) * add platform main principles * update docs * unify styles * remove guidelines. principles should cover this * Apply suggestions from code review Co-Authored-By: Josh Dover * Apply suggestions from code review Co-Authored-By: Rudolf Meijering * address comments Co-authored-by: Josh Dover Co-authored-by: Rudolf Meijering --- src/core/PRINCIPLES.md | 47 ++++++++++++++++++++++++++++++++++++++++++ src/core/TESTING.md | 5 ----- 2 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 src/core/PRINCIPLES.md diff --git a/src/core/PRINCIPLES.md b/src/core/PRINCIPLES.md new file mode 100644 index 000000000000000..fa832a59a3b12d9 --- /dev/null +++ b/src/core/PRINCIPLES.md @@ -0,0 +1,47 @@ +## Common dictionary +Plugin - a piece of software expressing specific subject of the business unit within the code. + +Platform - functionality required to run all the Kibana plugins. + +## New platform principles +### Explicit business domains separation +The plugins code should be structured on the top level to reflect business units. +```js +// GOOD +src/plugins + - apm + - server + - public + - search + .. +// BAD +src/plugins + - server + - apm + - search +``` +### Explicit dependencies +Each plugin should declare dependencies on the other plugins explicitly. Plugins cannot have circular dependencies. Plugins shouldn't access runtime objects, HTTP endpoints, DOM nodes, etc. created by a third party plugin without declaring a dependency on this plugin. +```json +"requiredPlugins": ["search"], +"optionalPlugins": ["apm"], +``` +### Explicit API declaration +Each plugin has to define an explicit API. Any other API's that has not been declared explicitly as public should be considered private. HTTP endpoints belonging to other plugins are considered private. Plugins should expose a JavaScript client on top of these HTTP endpoints for other plugins to consume. +```js +// GOOD +deps.plugin.getData(); +// BAD. +`GET /api/plugin/data` +``` +### Encapsulated state +Each plugin encapsulates its internal state. It doesn't rely on any kind of global state. Plugins provide an internal state via explicit API, reflecting the dynamic nature of the state (an event bus, observables, getter/setter functions). A plugin can change other plugin state by calling its public API method. +```js +// GOOD +deps.plugin.getData(); +deps.plugin.data$.subscribe(); +deps.plugin.setAddress('...'); +// BAD. +deps.plugin._data; +deps.plugin.data = '...'; +``` diff --git a/src/core/TESTING.md b/src/core/TESTING.md index 6139820d02a14a6..467110b3874b8ba 100644 --- a/src/core/TESTING.md +++ b/src/core/TESTING.md @@ -247,8 +247,3 @@ _How to test against specific plugin APIs (eg. data plugin)_ ## Plugin Contracts _How to test your plugin's exposed API_ - -Guidelines: -- Plugins should never interact with other plugins' REST API directly -- Plugins should interact with other plugins via JavaScript contracts -- Exposed contracts need to be well tested to ensure breaking changes are detected easily From 6f1cf5ab0a73a23e6a01ba70c29e426f6dcb8839 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Fri, 17 Jan 2020 13:30:48 -0700 Subject: [PATCH 05/10] sets up initial grid and data type --- .../public/applications/endpoint/index.tsx | 2 + .../endpoint/view/alerts/index.tsx | 67 + .../endpoint/view/alerts/sampledata.json | 11350 ++++++++++++++++ x-pack/plugins/endpoint/server/types.ts | 24 + 4 files changed, 11443 insertions(+) create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx index 7598141bdea6594..9bea41126d29634 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx @@ -12,6 +12,7 @@ import { Route, BrowserRouter, Switch } from 'react-router-dom'; import { Provider } from 'react-redux'; import { Store } from 'redux'; import { appStoreFactory } from './store'; +import { AlertIndex } from './view/alerts'; /** * This module will be loaded asynchronously to reduce the bundle size of your plugin's main bundle. @@ -64,6 +65,7 @@ const AppRoot: React.FunctionComponent = React.memo(({ basename, st ); }} /> + ( diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx new file mode 100644 index 000000000000000..331c38a672aeae7 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { memo, useState, useMemo } from 'react'; +import React from 'react'; +import { EuiDataGrid } from '@elastic/eui'; +import json from './sampledata.json'; + +export const AlertIndex = memo(() => { + const columns: Array<{ id: string }> = [ + { id: 'alert_type' }, + { id: 'event_type' }, + { id: 'os' }, + { id: 'ip_address' }, + { id: 'host_name' }, + { id: 'timestamp' }, + { id: 'archived' }, + { id: 'malware_score' }, + ]; + + const [visibleColumns, setVisibleColumns] = useState(() => columns.map(({ id }) => id)); + + const renderCellValue = useMemo(() => { + return ({ rowIndex, columnId }: { rowIndex: number; columnId: string }) => { + if (columnId === 'alert_type') { + return json[rowIndex].value.source.endgame.metadata.key; + } else if (columnId === 'event_type') { + return json[rowIndex].value.source.endgame.data.file_operation; + } else if (columnId === 'os') { + return json[rowIndex].value.source.host.os.name; + } else if (columnId === 'ip_address') { + return json[rowIndex].value.source.host.ip; + } else if (columnId === 'host_name') { + return json[rowIndex].value.source.host.hostname; + } else if (columnId === 'timestamp') { + return json[rowIndex].value.source.endgame.timestamp_utc; + } else if (columnId === 'archived') { + return null; // TODO change this once its available in backend + } else if (columnId === 'malware_score') { + return json[rowIndex].value.source.endgame.data.malware_classification.score; + } + return ''; + }; + }, []); + + return ( + + ); +}); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json new file mode 100644 index 000000000000000..b0d6ae02f9f9217 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json @@ -0,0 +1,11350 @@ +[ + { + "type": "doc", + "value": { + "id": "huVEc20BW148Je-rzxwQ", + "index": "test_alert_data", + "source": { + "@timestamp": 1542789433000, + "agent": { + "id": "5085268f-7443-4f15-85d2-bf14b2a69c60", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", + "create_time": 1542788400, + "domain": "NT AUTHORITY", + "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "hashes": { + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424710, + "hashes": { + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 5362483200, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2006056960, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2004877312, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760109568, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2003828736, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780163584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780622336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788552192, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791775444992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791781736448, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791777214464, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791787307008, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424472, + "hashes": { + "imphash": "a24cfb84e3006f3634d5b09aed45c264", + "md5": "56e6aa240cf6503265fbe5cf4d5889e8", + "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", + "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791710957568, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424450, + "hashes": { + "imphash": "f12460104bb4725d7964cf569f727f61", + "md5": "58017789505c114426b63c775debc12b", + "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", + "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791706894336, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1438071093, + "hashes": { + "imphash": "341d1190606326748a708433d5d0cc36", + "md5": "0a2be3ed5a71082e5f9296f79323a639", + "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", + "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791705714688, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\libprotobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcp120.dll", + "publisher_link": "" + }, + "compile_time": 1380942867, + "hashes": { + "imphash": "d0a59246eab41d54812cd63c2326e1f1", + "md5": "46060c35f697281bc5e7337aee3722b1", + "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", + "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704993792, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCP120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcr120.dll", + "publisher_link": "" + }, + "compile_time": 1380942847, + "hashes": { + "imphash": "8f18e22935ef8b336e246ee763fbec97", + "md5": "9c861c079dd81762b6c54e37597b7712", + "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", + "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704010752, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCR120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791894528, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791783899136, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791779835904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791828992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791784816640, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730683904, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725375488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725113344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2007957504, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1472978395, + "hashes": { + "imphash": "3a8c832bddbba9333df28c1da212318e", + "md5": "e1c637922e34d868ebcd6ef199cf1394", + "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", + "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791703158784, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791790977024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791776100352, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534874, + "hashes": { + "imphash": "621a31b25a9ef1d128ea281b3eab572b", + "md5": "0040c486584a8e582c861cfb57ab5387", + "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", + "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791724654592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\fwpuclnt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753031680, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761092608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\shell32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/29/2016 03:22" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1480418473, + "hashes": { + "imphash": "f89e0a919d52e2b37d82d27f521530cf", + "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", + "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", + "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699816448, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720656896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720198144, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791751524352, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720067072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791741169664, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/18/2017 09:26" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484760175, + "hashes": { + "imphash": "b33f679b12d9d05d922e720c0e21818c", + "md5": "1e5ea729f6dc5a8aff675a45706d389d", + "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", + "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699161088, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/22/2016 08:08" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1479830743, + "hashes": { + "imphash": "513a166377e008d25aa2e22983dd13ff", + "md5": "3450d998edec5cdbd03b0df09c17e02d", + "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", + "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791698702336, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573247, + "hashes": { + "imphash": "d6d5dc292fe4d710905e9f280360309d", + "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", + "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", + "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791696343040, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573248, + "hashes": { + "imphash": "4e1a791e94ac955105ddfaac387de22f", + "md5": "874d6017f89a2ef255a16280ed4b1bf7", + "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", + "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791693721600, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757291520, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "DigiCert Assured ID Code Signing CA-1", + "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/12/2018 01:20" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1512623776, + "hashes": { + "imphash": "e2dab13fa4a67b25d3fbae65a189c521", + "md5": "627d7f1de23e6b01d6251b4c6962e765", + "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", + "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688937472, + "mapped_size": 0, + "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/13/2017 23:13" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1505278115, + "hashes": { + "imphash": "c2979e6e570392ed85b4e15810f2e90f", + "md5": "3b4c71b64bc20b0c6578a091a031c0fb", + "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", + "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791679827968, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758209024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757225984, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791679172608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791754866688, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258493, + "hashes": { + "imphash": "466f15f36f10655b30e9347e7dfc2b52", + "md5": "1d5185a4c7e6695431ae4b55c3d7d333", + "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", + "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748378624, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\mswsock.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535287, + "hashes": { + "imphash": "f967c6b35a5d1b7765016056a842e331", + "md5": "31559f3244c6bc00a52030caa83b6b91", + "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", + "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742021632, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wshtcpip.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748771840, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745626112, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791755456512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257906, + "hashes": { + "imphash": "ff74e3ff0a015c2023b747f613061e42", + "md5": "a52b6cc24063cc83c78c0e6f24deec01", + "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", + "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746805760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DNSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722557440, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722426368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534847, + "hashes": { + "imphash": "dda6776607f283829d85b996f5e46d03", + "md5": "f3d202f53a222d5f6944d459b73cf967", + "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", + "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791675961344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\FLTLIB.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756308480, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759847424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534778, + "hashes": { + "imphash": "37afbae3e0f359c3718e379261f7ccfc", + "md5": "25983de69b57142039ac8d95e71cd9c9", + "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", + "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791173632, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CLBCatQ.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258799, + "hashes": { + "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", + "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", + "sha1": "4417207821fc8f5c72ff531683f183caef297882", + "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756177408, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RpcRtRemote.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258979, + "hashes": { + "imphash": "207b35260128e01bb777acc1377dc241", + "md5": "58f4493bf748a3a89689997b7bd00e95", + "sha1": "9974ba41e8215f6669deb765988cfe34e9c1b56e", + "sha256": "ec5deec73e357c7c87b001275c4e635011a9cf39419f2b86e2c2b8d7e388c551" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791697915904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\winhttp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258934, + "hashes": { + "imphash": "01ecfbe4437ca8d85dd9400611c1b90e", + "md5": "bc9489df517c426d4044d99f14449134", + "sha1": "814f9c8c59ee59f2ff3fc1b5e21d5e270babb506", + "sha256": "cabd014ba29a548252bb8d5bd46d047dbfc445489492d9df75b29cede0ac9f8b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791697457152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\webio.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257996, + "hashes": { + "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", + "md5": "52d3d5e3586988d4d9e34acaac33105c", + "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", + "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791744577536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\credssp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "9e65c315ab3a48dda5ab558165a5002b", + "md5": "ec7cbff96b05ecf3d366355b3c64adcf", + "sha1": "fa74a61ea56a7bc3149860b5344c51fa9b6555bb", + "sha256": "f69ed45ebedca9cf000ac03281f0ec2c351f98513fba90e63394e4e561d6c7a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748313088, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wship6.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535149, + "hashes": { + "imphash": "c2a02641f5327bf07de486ae7ec62117", + "md5": "88351b29b622b30962d2feb6ca8d860b", + "sha1": "3338d73b6c86fce85b07236ac230e5e2f4601818", + "sha256": "a16cad7d94c1c9807083bb36e9b4c3c14e6482c4ca2bdfacbcc86e737ddce42e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791678255104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rasadhlp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258810, + "hashes": { + "imphash": "34991d52051c8576ed061e7a2c5a4ae0", + "md5": "a199de544bf5c61c134b22c7592226fc", + "sha1": "03d97c806e4a28bb37d8c8384deddd6ac28acc9d", + "sha256": "af0cc2da847036f5fe6dd9fbeda7c3d05af291873d4eae121676dc6e8841a78f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746215936, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\schannel.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535060, + "hashes": { + "imphash": "6a351d0e14283da2cd897563f0062c5b", + "md5": "2e8c52a0ec788d90fa35d9507d828771", + "sha1": "0725085c62d3a5a9a0d50256c2a56161aaca0a07", + "sha256": "dd5aaa10e075f209d9827c7a192ad5645d1156c149db9b5ac1ef7b5e0b5f11de" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750344704, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ncrypt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534713, + "hashes": { + "imphash": "9f3aab7eb2ffeeba57cb67496b05f365", + "md5": "b9a95365e52f421a20e1501935fadda5", + "sha1": "958a7ba90043f8e3b94da849a2da8bb139fc39c9", + "sha256": "ddb4cb575139233efaf2c59b7e9b04af36bbccc63190181f3b2a7e6bfc86e77e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750148096, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\bcrypt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 34 64 00 00 00 00 00 0c ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257648, + "hashes": { + "imphash": "738644d200eea1ceb5661b1ac09aa146", + "md5": "d6c7780a364c6bbacfa796bab9f1b374", + "sha1": "15236c349be131790d21a63550d725cc62b1bf13", + "sha256": "3b5ed1a030bfd0bb73d4ffcd67a6a0b8501ef70293f223efaa12f430adf270f9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791744839680, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\bcryptprimitives.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258932, + "hashes": { + "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", + "md5": "7a17485dc7d8a7ac81321a42cd034519", + "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", + "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743201280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USERENV.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534853, + "hashes": { + "imphash": "1bcae470249f30c5f912c1293a2d3470", + "md5": "9c9307c95671ac962f3d6eb3a4a89bae", + "sha1": "6190ce7b101c5946b1d773245d286a1e592f5181", + "sha256": "d1433791c9b8bceead8937ec18d33e89e4e2012b5975228a8500fd141bc30078" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743070208, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GPAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "AmSvc.exe", + "parent_exe": "C:\\Windows\\System32\\services.exe", + "parent_name": "services.exe", + "pid": 1076, + "ppid": 432, + "primary_token": { + "domain": "NT AUTHORITY", + "integrity_level": 16384, + "integrity_level_name": "system", + "privileges": [ + { + "description": "Replace a process level token", + "enabled": false, + "name": "SeAssignPrimaryTokenPrivilege" + }, + { + "description": "Lock pages in memory", + "enabled": true, + "name": "SeLockMemoryPrivilege" + }, + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Act as part of the operating system", + "enabled": true, + "name": "SeTcbPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": true, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": true, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": true, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": true, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": true, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Create permanent shared objects", + "enabled": true, + "name": "SeCreatePermanentPrivilege" + }, + { + "description": "Back up files and directories", + "enabled": true, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": true, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": true, + "name": "SeDebugPrivilege" + }, + { + "description": "Generate security audits", + "enabled": true, + "name": "SeAuditPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": true, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": true, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": true, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-18", + "type": "tokenPrimary", + "user": "SYSTEM" + }, + "services": [ + { + "name": "CybereasonAntiMalware" + } + ], + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", + "sid": "S-1-5-18", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542788400, + "entrypoint": 5362733988, + "thread_id": 1080, + "up_time": 1084 + }, + { + "create_time": 1542788400, + "entrypoint": 2006167232, + "thread_id": 1108, + "up_time": 1083 + }, + { + "create_time": 1542788400, + "entrypoint": 8791693804752, + "thread_id": 1232, + "up_time": 1080 + }, + { + "create_time": 1542788400, + "entrypoint": 8791693762672, + "thread_id": 1244, + "up_time": 1080 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679862464, + "thread_id": 1392, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679862464, + "thread_id": 1396, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679865776, + "thread_id": 1400, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679929872, + "thread_id": 1404, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 2006186944, + "thread_id": 1480, + "up_time": 1067 + }, + { + "create_time": 1542788400, + "entrypoint": 8791704162340, + "thread_id": 1632, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1640, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1644, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1648, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1652, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721392, + "thread_id": 1656, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698720112, + "thread_id": 1660, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698720736, + "thread_id": 1664, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698722160, + "thread_id": 1668, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 5362651040, + "thread_id": 1672, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 5362651040, + "thread_id": 1680, + "up_time": 1033 + }, + { + "create_time": 1542788900, + "entrypoint": 8791680004352, + "thread_id": 1808, + "up_time": 587 + }, + { + "create_time": 1542789000, + "entrypoint": 2006186944, + "thread_id": 2284, + "up_time": 432 + }, + { + "create_time": 1542789100, + "entrypoint": 2006186944, + "thread_id": 1780, + "up_time": 364 + }, + { + "create_time": 1542789100, + "entrypoint": 2006186944, + "thread_id": 12, + "up_time": 343 + }, + { + "create_time": 1542789200, + "entrypoint": 8791748438592, + "thread_id": 2476, + "up_time": 168 + } + ], + "unique_pid": 22, + "unique_ppid": 8, + "up_time": 1084, + "user": "SYSTEM" + }, + "acting_thread": { + "create_time": 1542788400, + "service_name": "CybereasonAntiMalware", + "thread_id": 1648, + "thread_start_address": 8791698721056, + "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" + } + }, + "captured_file": false, + "file_name": "C:\\Windows\\TEMP\\tmp0000008f\\tmp00001c75", + "file_operation": "creation", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 1076, + "ppid": 432, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\27fef9a8-bd80-4784-934c-76b383147d3f", + "timestamp": { + "accessed": 1542789400, + "created": 1542789400, + "modified": 1542789400 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542789400, + "correlation_id": "3aab8e43-2cdb-4d32-b46b-b8382ff11939", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "31b54c77-fdbb-4550-9259-0dce12b98ec2", + "origination_task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", + "type": "detection" + }, + "opcode": 8, + "serial_event_id": 167011, + "timestamp": 132140242101035230, + "timestamp_utc": "2019-09-27 02:16:50Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-ssm-0b0d26ad", + "ip": "10.81.164.74", + "name": "HD-ssm-0b0d26ad", + "os": { + "name": "Windows", + "platform": "windows", + "version": "6.1" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "5085268f-7443-4f15-85d2-bf14b2a69c60" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + }, + { + "type": "doc", + "value": { + "id": "kuNEc20BW148Je-rmp1N", + "index": "test_alert_data", + "source": { + "@timestamp": 1542341895000, + "agent": { + "id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "cmdline": "C:\\Windows\\Explorer.EXE", + "create_time": 1542341500, + "domain": "WIN-Q3DOP1UKA81", + "exe": "C:\\Windows\\explorer.exe", + "hashes": { + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290248516, + "hashes": { + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 4278845440, + "mapped_size": 0, + "path": "C:\\Windows\\Explorer.EXE", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2007891968, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2006712320, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760175104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763779584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791790780416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793074176, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791762403328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792615424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2005663744, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763714048, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791782522880, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792091136, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791765811200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHELL32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791783374848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791785537536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258088, + "hashes": { + "imphash": "ec96d3f694248151f968633563d10a36", + "md5": "eed05d42d91835064703e2318552ed25", + "sha1": "aa7e817ccad26070bce1161894f97e10aaa56fb9", + "sha256": "e9ee1e2253445b207b76f5d3073c612ed979a982522c1515e0fe8fa9641ae568" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791634935808, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EXPLORERFRAME.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534886, + "hashes": { + "imphash": "c0e1a4a34891e5dd2a6cbaa0895a8d38", + "md5": "8ccde014a4cdf84564e03ace064ca753", + "sha1": "957e29e029fe60b8ff43ff732463c39230b78226", + "sha256": "dd663029b2eb7b12fdb00fce403d8326141e540e3b9ce84cd5871473d3e2e2cf" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735599104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534885, + "hashes": { + "imphash": "9353143c2b77b94cc82ab55c5fecf99c", + "md5": "3cb6a7286422c72c34dab54a5dff1a34", + "sha1": "5b93896a6abb36c2b8957973e3ce1860c1059367", + "sha256": "98d21efff511e407336a226420701e82554da01fa05661303836b6860d63749d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791721181184, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUI70.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793205248, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791764697088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535251, + "hashes": { + "imphash": "56e651a119cdb899aadd2df3832bbcd1", + "md5": "d29e998e8277666982b4f0303bf4e7af", + "sha1": "e803b0af61ea2ddcd58b5a63b1cfbb73266318ea", + "sha256": "4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742480384, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\UxTheme.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535202, + "hashes": { + "imphash": "1c419f7cfacebfcd8e903e6be290407e", + "md5": "716175021bda290504ce434273f666bc", + "sha1": "4f00fbf4e9a88fae9e6682989032831b3d2eba86", + "sha256": "fa18ca2d8a5f4335e051e2933147d3c1e7308f7d446e2aeb6596cdef6e2afc88" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718690816, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\POWRPROF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258850, + "hashes": { + "imphash": "a7a25e8b145e75fdeb21026d3895033a", + "md5": "5d8e6c95156ed1f79a63d1eade6f9ed5", + "sha1": "cadd211d74385550c5e055d3312303f4d64fdebc", + "sha256": "12130837d7f89a2c7e9d25747a8e5b9001e0a38d545178b49b450c23ae62664a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788814336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SETUPAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760633856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534817, + "hashes": { + "imphash": "2dbdaadf7e151289a49662379e253dfd", + "md5": "06fec9e8117103bb1141a560e98077da", + "sha1": "a8922793a930d602409b62be5ff01d5baec60000", + "sha256": "c5e61b11ddbbbbba3d9488970524f0975ea5fbdf16e2fa31f579f8bfa48353b1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760044032, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVOBJ.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534887, + "hashes": { + "imphash": "e7f2585307f1db90e7e5e48c40dc7134", + "md5": "da1b7075260f3872585bfcdd668c648b", + "sha1": "f2bd334006d728422721b7c639145a6ec59a459b", + "sha256": "3e10ef6e1a5c341b478322cb78a0ab7bfc70ad8023779b8b4542a7cb4ca756ab" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742873600, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dwmapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535203, + "hashes": { + "imphash": "6a5a31c99a1562b9e5e10f4b4445be95", + "md5": "be097f5bb10f9079fceb2dc4e7e20f02", + "sha1": "dd572bac50bc4718126389c628d56a83d5c4d88a", + "sha256": "90a88986c8c5f30fb153ec803feda6572b2c2630a6c9578fcc017800692694d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732256768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\slc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732453376, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791754801152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756701696, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258762, + "hashes": { + "imphash": "26c2856b9813d8990c01c5a711b5063a", + "md5": "f06bb4e336ea57511fdbafafcc47de62", + "sha1": "bfee1b9d2269d26d99c8e462825ee8399c8bd4ec", + "sha256": "be43ec62548e9ff89a9495a1722e22dbb76eec3764f86e64057b636f27d15765" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728259072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PROPSYS.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757291520, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257499, + "hashes": { + "imphash": "cd11f800bc54ae45ead9d98c96048145", + "md5": "7fa8fdc2c2a27817fd0f624e78d3b50c", + "sha1": "b4aa8e16396b1882eb75c28dfbec9949608afdde", + "sha256": "7b63f6aa2cd6d4d07ea3c595b868b1a0749bb11620027a2bd9b935e3055481e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791736123392, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258974, + "hashes": { + "imphash": "b03f7d8315f3384d06c11e961e6fee07", + "md5": "26b73a85855681500bcc25c7cd9ff5b1", + "sha1": "393ed9ebbe380c77935df6d0eda2047cdd2224fe", + "sha256": "94d134a6af53ad629a4505b8b0ea37f61bb43af4db71874e7e87853163a9282a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791724851200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WindowsCodecs.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758143488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257558, + "hashes": { + "imphash": "6af6d846a78a6532fcb989d0d8aeb17d", + "md5": "90499f3163a9f815cf196a205ea3cd5d", + "sha1": "f97ff54dc4b132756fcf7041e55d645163f19851", + "sha256": "29b4ed3795cec1177eb367132914ce21c194cdec5db9dc923fd928c85e94d821" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756898304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\apphelp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534778, + "hashes": { + "imphash": "37afbae3e0f359c3718e379261f7ccfc", + "md5": "25983de69b57142039ac8d95e71cd9c9", + "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", + "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791787700224, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CLBCatQ.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534842, + "hashes": { + "imphash": "cbda3eb1c9c46a2121362e9775f60b47", + "md5": "024352feec9042260bb4cfb4d79a206b", + "sha1": "79c23ce566219f87ade8e55a292aaaabe4a639ec", + "sha256": "60cb39086e10c5b66ebc15e4df219620b344b4358d2918ab6bb3448a0ac8be36" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731994624, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EhStorShell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258701, + "hashes": { + "imphash": "37dad3873d5388f07576532bc042f677", + "md5": "7bbf670114373ce6a203fa155a9e0d0a", + "sha1": "104d89dde030b661d05c4c63a03fae1f46ab52d2", + "sha256": "36ef0a36c679e53b1b169289bd3c05d7c2839dc20c8c87bf520b633911fde198" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791647518720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntshrui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753228288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258010, + "hashes": { + "imphash": "2ba777561101c3b07566cc50db3a564c", + "md5": "1bf0cb861a48feb1638228760750f3cb", + "sha1": "fbc77224c1b444a6ec25e99f995f2f355e4d1d26", + "sha256": "37c781a8c546ead8b4d28bd7d730b9ac78eb799599ad69dad9054b6f9f1dd6bd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791649091584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\cscapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534897, + "hashes": { + "imphash": "5bf52e420b6d5991bdcce16ada0828dc", + "md5": "1d63f4366288b8a7595397e27010fd44", + "sha1": "e459e1227083e4eabd19ee20e13754560fc7e02d", + "sha256": "99ea4ddd88d9c4a4cc9b238f533cb4d2c062d46239173997e8594d8a75811a01" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735533568, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IconCodecService.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750606848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791747461120, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258799, + "hashes": { + "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", + "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", + "sha1": "4417207821fc8f5c72ff531683f183caef297882", + "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758012416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RpcRtRemote.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258895, + "hashes": { + "imphash": "4fe9beaa9bd4aa01f5063a7352325c89", + "md5": "d7f1ef374a90709b31591823b002f918", + "sha1": "336ac44b8ee88a6af3f3eaf461b8bdf94fa657ff", + "sha256": "05fd2837c9b03d14bb2a969c1ad77caef047d93dc5d0f6c2acbf0888e8f7b359" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730683904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SndVolSSO.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534873, + "hashes": { + "imphash": "0a90384377303e2a2625725018566a89", + "md5": "896f15a6434d93edb42519d5e18e6b50", + "sha1": "b91a3512a80c4201c3fcfaf62abace894fbba328", + "sha256": "9263f0cec58d45ebe3fb9c3061fb9392c55a7933b84b4592e6ee13cfc86d5a50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731929088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\HID.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534952, + "hashes": { + "imphash": "98a24f570dbcd3a092d95b3bd4e51a53", + "md5": "227e2c382a1e02f8d4965e664d3bbe43", + "sha1": "c4971ba9c1e4fdf0106c7cfab626a3d8737bbd07", + "sha256": "1cff20a8bf87ace4fa4935ebeed72bfb1a1fe902a754899e2f50798d67df5642" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729504256, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\MMDevApi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258898, + "hashes": { + "imphash": "e99757a4c1beee1b5bf8b7b33b444dcc", + "md5": "1fcb1a72bf5c784f7358e6bef38e4571", + "sha1": "ef944a320de79bf05f0e30f54f3f8b2ba2e82c4a", + "sha256": "12da4240f8c964eda6223257bd9723fd9372e63ae86f00509163b1de12a5f6c5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791637426176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\timedate.cpl", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534704, + "hashes": { + "imphash": "d6de6fde05f96ac848accdb1aef473e4", + "md5": "58775492ffd419248b08325e583c527f", + "sha1": "b0e9ca05d46cb53049c4ca33fe04bd08989a78f9", + "sha256": "dbb013971f5894f25c222c2d4d50a29db6df3c413792ee9ccc1a9e6d85469093" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732322304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ATL.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535266, + "hashes": { + "imphash": "fa1e670045065ff088a4ac664f9ac3d7", + "md5": "9f2bacd5e1776a4bb7cc0ec3c3a4f96d", + "sha1": "ad8c7ec85d532e5725b8535830f27c1abcf139b4", + "sha256": "19959d18601712901f03b83150d15e34ebcab355bb4692c9a28511a72f57fc66" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730618368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINBRAND.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257498, + "hashes": { + "imphash": "53f2c3eaeaa6e619e0ccd6e671e96145", + "md5": "e6f0f82788e8bd0f7a616350efa0761c", + "sha1": "9aa4aafda89325853ffa66169e697529164a23a2", + "sha256": "13091dcb3e3f4f52c3ff210e93aaf1dce142cfc09f671aeac5b922393b23e67b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633952768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\actxprxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535165, + "hashes": { + "imphash": "ae5e5f76641aadaf99f0ca29d2e1cadd", + "md5": "1f4492fe41767cdb8b89d17655847cdd", + "sha1": "c836a5e65d56900b6658fdaa3df8579bdd07ec69", + "sha256": "184547fac0c3d7148faa3f601929a7089de393bd19929a137dad743331dd3f77" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791719739392, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntmarta.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259030, + "hashes": { + "imphash": "f792b6ec2e11bc79d8eb1bb1bcb79a91", + "md5": "4e4ffb09d895aa000dd56d1404f69a7e", + "sha1": "40f5c1890f6de5284f6c897255e6907b0272349a", + "sha256": "d999e04bb35780088480eab322176570591a21e311d204bdcab010a63b34d24c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791794974720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WLDAP32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258853, + "hashes": { + "imphash": "2507624727988c72eb2a628a990000fd", + "md5": "c4f40f6cacd796a8e16671d0e9a2f319", + "sha1": "0881ae2a2fd3c5f03654410c474e5a25317942b2", + "sha256": "44853c645915d910ed0cc6d38f68b6c222528ec5fcbe990e238010f41204e682" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729897472, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shdocvw.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534923, + "hashes": { + "imphash": "e52a872655c57d1b906101b6d5449bbf", + "md5": "a0a65d306a5490d2eb8e7de66898ecfd", + "sha1": "880ac520eb1d38ebb591707a26e6dd300df40643", + "sha256": "ce5da408f4edd5e81ce0925867f03c9a35172cf1571fe4c4c052e45ab69822bb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729831936, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LINKINFO.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258932, + "hashes": { + "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", + "md5": "7a17485dc7d8a7ac81321a42cd034519", + "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", + "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745036288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USERENV.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258852, + "hashes": { + "imphash": "8b5c65294bec1cf89e97325a24b8cfc5", + "md5": "4e9c2db10f7e6ae91bf761139d4b745b", + "sha1": "6e8e6a53269ca8acc8c2456c80cd3a56d8deb98d", + "sha256": "8f63f78294f5585d599a114af449dcc447ccb239d0f0b490bfe6b34a2146e730" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704207360, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shacct.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535152, + "hashes": { + "imphash": "44b39e98ae2946f304f4dbadcfffa307", + "md5": "5b3ebfc3da142324b388ddcc4465e1ff", + "sha1": "86e20ebf70fd35723eb635c4f3684891a2547a7b", + "sha256": "5d58642305311f9bc9b779c9598bfc4e7433b3ea58404bf1ff9466838a2328c7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716069376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SAMLIB.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258793, + "hashes": { + "imphash": "7fec5787890bfedd3b3aa4082f53a08e", + "md5": "fc51229c7d4afa0d6f186133728b95ab", + "sha1": "f7a2f224356e68b612ecce4512c99f5b9c264d7d", + "sha256": "37e58c8e1c8437d1981725a5dcdaca7316cefbb570370cefc8d122f523b96ac0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791714168832, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\samcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722426368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535084, + "hashes": { + "imphash": "14bd8d9a93b98b2479e1f6cd57b7c790", + "md5": "7cb3acb163de051169095dc6507b8977", + "sha1": "b891ebebb25655157f7c612d5763e995c86009a2", + "sha256": "45d4deb0695440d8b5e959945b3f7a773e02e2ab305e316123a1064fc1905402" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791703945216, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msls31.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257535, + "hashes": { + "imphash": "bf738a2fc0ab0601eea36f35e4cbcd27", + "md5": "0bee002c68e28ce6da161dcf1376d7d7", + "sha1": "d5cc3bec12c801e11217acc6927e1e6e401fe208", + "sha256": "1d4ee0b9ce22d139478008d5591b8c9f027c235cba601f95a96547cf98159d4b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791631134720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\authui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258007, + "hashes": { + "imphash": "76801e47683b36a4115dbe046717edbe", + "md5": "b3bfbd758506ecb50c5804aaa76318f9", + "sha1": "bf6c922467347a6690eb19c5e82be09b3295778b", + "sha256": "34e079a6ab2d41d1e0b3887b6ae31c43941061b7176fff2801c3f465c2c89578" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791630020608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTUI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760896000, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759060992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258922, + "hashes": { + "imphash": "75124ca243f494ff6127697f3ebc418a", + "md5": "5fada8b707318e1bd63a7e2b81e6c8cb", + "sha1": "c5ad1c9bbc2f565237a144b9cf44711dfcf65ea5", + "sha256": "2590e88cab52fcc1b24cb262d293131c6280a5f234e0c130e77aa8697efa3b5f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793401856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\urlmon.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258980, + "hashes": { + "imphash": "248b27a31ddf696c2e3bfe6aed9c3eba", + "md5": "f6c5302e1f4813d552f41a0ac82455e5", + "sha1": "f0ec3ad7e90f559d1bc9b8849cf5668cafba2031", + "sha256": "e3ebf44621efc6381baae0f0efc13c356dcb6ee31bb258137edb3cc3e18549b5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791786455040, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WININET.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258097, + "hashes": { + "imphash": "f6db6123d8a383f58cf318d00d2e7d1d", + "md5": "5180380d353277d395d3b36d790aa93e", + "sha1": "d5622ec5d922233867422d1e143969e226bb9a1c", + "sha256": "89b894eccf65704d00d30ea3bd45b184bfab8345b779f9ae2be66b9fc7226f72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780032512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\iertutil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743004672, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259004, + "hashes": { + "imphash": "da0bcac0c5f9dc653d00eecd5fb1c801", + "md5": "0d9764d58c5efd672b7184854b152e5e", + "sha1": "99d78db040987c69b6a70a42af86641ba0413956", + "sha256": "9827b43dabbec39ab2e2294408d9c5304ef27a684903c5234c6070387723d49e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758209024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSTA.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683301376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258936, + "hashes": { + "imphash": "7e9874f9ecf2191b91f9a4dfa37f2ba1", + "md5": "1473768973453de50dc738c2955fc4dd", + "sha1": "7b046f6070844e3bc7deae115a1dfe5825030513", + "sha256": "14bc5da2442cb726acc1f277ddbeccf5d61e3a0a3e083a55a0bb610191e35220" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648239616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wdmaud.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535081, + "hashes": { + "imphash": "086996ef0b01a463f114deb5244861b9", + "md5": "8560fffc8eb3a806dcd4f82252cfc8c6", + "sha1": "7562bbb63b0db6e4986ebdb86495c4fe284a1eaa", + "sha256": "cc27bc092369a89d6147b16568fedeb68b584d5738cd686c31f7fae22ed17b3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1968373760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ksuser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534742, + "hashes": { + "imphash": "690cce63d22e22d9aa225c4a9290b2c4", + "md5": "78a1e65207484b7f8d3217507745f47c", + "sha1": "3542a591e9c97b48739f69e2a193dff461ea097c", + "sha256": "35f413adb9d157f3666dd15dd58104d629cd9143198a1ab914b73a4a3c9903dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718625280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AVRT.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257517, + "hashes": { + "imphash": "64661addcde8896487dcc7cd32a4eda9", + "md5": "dc220ae6f64819099f7ebd6f137e32e7", + "sha1": "5707f15b666c7d3b07dfce9dac665a2e45c39113", + "sha256": "b8fe13b859fa83500dd95637fa6d4a5b8392c2a363e41d014d3b5374f636e1de" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791659118592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AUDIOSES.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534992, + "hashes": { + "imphash": "3bf8d3fd03f9d07b7821df4b1da2be9d", + "md5": "1b7c3a37362c7b2890168c5fc61c8d9b", + "sha1": "78ba8d596c0ac4c38acb498416957891570a2a1d", + "sha256": "03727930e5bb5f9d91bab901fc9a2e3b795d68e2aee6a2cc3477f356c45a9c54" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728062464, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msacm32.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534991, + "hashes": { + "imphash": "9611d7fd4fe3c571fbf1db3d718ba82c", + "md5": "10ac5ce9f78dc281a1bbd9b8cc587b8a", + "sha1": "207582f9d9bec00a932fba886d575ee5b6502d42", + "sha256": "72288c0a88916d3c3828dbd948dbdb0928f26106319f8e60102d6c9004514d60" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716659200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSACM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "5a8ee2f48e79ef6ac4b33366d6642b50", + "md5": "ca2a0750ed830678997695ff61b04c30", + "sha1": "a27df990dde73e72bb02105f8af689a1ac324e59", + "sha256": "e84860cd97aa3c4565abb2d5d406a5c42b1ad2d8ba1b8cf81fe564d91f15f976" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727996928, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\midimap.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535256, + "hashes": { + "imphash": "04a5e982c134477b1914ebcd7b6436d0", + "md5": "d6f630c1fd7f436316093ae500363b19", + "sha1": "197897b74f411040ba7df41a5bd3c1030661b904", + "sha256": "73a94b4938430396ea4240b1a6676b4e6c19cfaf8c52efb9a69b4b2175a86307" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727734784, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\XmlLite.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258889, + "hashes": { + "imphash": "8181b1ef70ff3d29984db497f92a2662", + "md5": "c3761661c17c2248a9379a8fb89e3de1", + "sha1": "d2ea41e02bbaa77f8b93b09277596a34cdae8853", + "sha256": "ce3477fa2b4058eb80739e0161fe957545f13cf86d313f6422732901d35f75f2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791617568768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\stobject.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257641, + "hashes": { + "imphash": "fbe995ff97475c5aa2777a4bc493d4b1", + "md5": "f832eeea97cdda1af577e721f652a0d1", + "sha1": "48f227a1e10d49edf56e3559e05c871bc285c199", + "sha256": "ebbb7ca199ba4df231123922bd310d43de0104c6185b70fe0281b938d5336f2e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791616782336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\BatMeter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535260, + "hashes": { + "imphash": "5d8fff13bf206e589cae241fc7f4d464", + "md5": "bd3674be7fc9d8d3732c83e8499576ed", + "sha1": "cb96190d6366e11dd6e6b48f4cdc4332015cfa67", + "sha256": "e6716a5895d629263a4d21959f48840429ab6f4b55a5fa2663ee5e86c9ca2bf1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727538176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WTSAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759781888, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534970, + "hashes": { + "imphash": "8accd78cb7feca81ac448f0485be30dc", + "md5": "4166f82be4d24938977dd1746be9b8a0", + "sha1": "5174036d781677f5444d9a23079baf18f4bbda44", + "sha256": "24121751b7306225ad1c808442d7b030def377e9316aa0a3c5c7460e87317881" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730159616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\es.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257970, + "hashes": { + "imphash": "8c20d7b93902b8c193a7fc1b4b58e9aa", + "md5": "42a9cb6906d9a8bedc83b57163e62924", + "sha1": "50e5592460d91205e912d55f60a2dd3cc4da4329", + "sha256": "e18522d3137653140757829efbfce624a5baa5842e2bba10b9e5ab6c84be49e1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614619648, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dxp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258826, + "hashes": { + "imphash": "1df61af51096e9bbbdc1834405984e4c", + "md5": "2d2a6ec8ead30ec3ace2fd6fb1b3e122", + "sha1": "1e77948378474e155307d290b998994f720206bf", + "sha256": "e7ea375a3bde8fc764cb09524344370b9ee25f98ad6c83e6f37a569eb8d277d6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614160896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\prnfldr.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259000, + "hashes": { + "imphash": "2f59265cb3df847423b60921203365be", + "md5": "0015acfbbdd164a8a730009908868ca7", + "sha1": "671c084513461900550bd49d3dccb58bdbe05adf", + "sha256": "e1ff243ad2cf959fab81efe701592414991c03416ff296adc93906e76b707c4d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791654924288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSPOOL.DRV", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535225, + "hashes": { + "imphash": "3d49b728c9125f451e7f2f215e9d3bbb", + "md5": "2bc7c9fd0a9f2c9afc373f3ad1ee3891", + "sha1": "1b7c6960a72509d1f408022d791c6a65acb2a75d", + "sha256": "0a82a475301202791a7c10f978f952eab7db146a702d4ea67e24e2c98bc19638" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648108544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Syncreg.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258789, + "hashes": { + "imphash": "c5c69e7d20ca382ddbc49947d651a8e7", + "md5": "10f815be90a66aafc6c713d1bd626064", + "sha1": "3e21f173a6bcdf629c442d89abadc48137c61bb2", + "sha256": "01139fc04bc53594296f6a0e16b8d20b940f64bc8119fe7705c03c4947958f39" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612325888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\pnidui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258791, + "hashes": { + "imphash": "6437e4761b1278fdecf142a679216f7b", + "md5": "b9f0a4020aa98b7a20287bf7fe99a1fd", + "sha1": "1f28ac7493ce972b45de191780a190504d1d0c44", + "sha256": "21138f161eeea46198890c7a2d073f2c82829e15676131bdad9f237edc7477cd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612194816, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QUtil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535239, + "hashes": { + "imphash": "deeb658dae29d8df1c8dbb08f06801b0", + "md5": "3c073b0c596a0af84933e7406766b040", + "sha1": "06185554c38353211430f5f075c490558e46fb3d", + "sha256": "4698bba678f553e15ad4b07ad7fb236281f872defee97bfd637114476c8f97b3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752769536, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wevtapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258586, + "hashes": { + "imphash": "97bb6eee9e1ea3e5751077b655b54de5", + "md5": "a42f2c1eb3b66c54fb3c7b79d30c1a6d", + "sha1": "cee705de8d3dfcc9e2a14e0249d6be61fcd54a18", + "sha256": "a63836db3b01835dc1311526a95198d6ebccb1dc9ddafbc38ec36c128cdb98b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791609507840, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\netshell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727210496, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763648512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791726948352, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258583, + "hashes": { + "imphash": "7e01da4b2a8806d2944a3ff2e271958f", + "md5": "2df36f15b2bc1571a6a542a3c2107920", + "sha1": "660a44b660d8e57ef7d7efbbc006ac390a7901fa", + "sha256": "a918f1ee95269df973421af2f5713deeaf15ef0f77baa7e8c515ffb69896fb7a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735992320, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\nlaapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723999232, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788486656, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257492, + "hashes": { + "imphash": "f5d0254c5435291634c8b7357aa536bd", + "md5": "92dbf0a4c9239169010fc6e07859c82e", + "sha1": "634d8c12de82c422dfeba8f9a5fa84d03b7bcd35", + "sha256": "00fb2cf4420f0ffef519afe732a708cf249640121e2a891caa164313abd7f804" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608655872, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\Actioncenter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723868160, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257996, + "hashes": { + "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", + "md5": "52d3d5e3586988d4d9e34acaac33105c", + "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", + "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746412544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\credssp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258110, + "hashes": { + "imphash": "9ba63732839305b29ebe539451171b45", + "md5": "8130391f82d52d36c0441f714136957f", + "sha1": "e2bb102565986a42d0a43bd3f337f94dbe54eead", + "sha256": "1fd4fee7caf63e450f27729e07ea2a2f09288629fd872dbb6e8710b16d8dbd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608131584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imapi2.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258038, + "hashes": { + "imphash": "e070eff3751fea77ccd424469a9a07e6", + "md5": "6a5c1a8ac0b572679361026d0e900420", + "sha1": "fd9241fdda4b9d08ff1e205f9d5f78923ab884d8", + "sha256": "b5e693b48b462e97738a3d4e58b60846159649eb15f4d11074b4bc107cc88562" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791607345152, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hgcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535139, + "hashes": { + "imphash": "1e00eab90042e5099339cb82841b434a", + "md5": "f7073c962c4fb7c415565dde109de49f", + "sha1": "671c2e910ff954700b3a1f80608423697895c0a9", + "sha256": "781e7088dcefbc34a808c3e7da41a56112b3f23abe9f54b5ef4d5cd9cd016b1d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791680090112, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\npmproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258777, + "hashes": { + "imphash": "d402ebf00a5cffa66b6682780c262457", + "md5": "6b851e682a36453e1b1ee297ffb6e2ab", + "sha1": "3dc85ba13d1f720e8039865817bcc65dc0f1d35b", + "sha256": "a641d3fd9463c4788b45b8b5584ea4489c1f63a71b4b595ae85ff3482cd5eda6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791606099968, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QAgent.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534818, + "hashes": { + "imphash": "09bf801b36364c598a2a8fdff079932c", + "md5": "cd1b5ad07e5f7fef30e055dcc9e96180", + "sha1": "4e835fdadd0c67fde44e385f69a1014d6ad11f4f", + "sha256": "63c58551f32b0b09377f64a6ae1fa81af93b8a707a57a8c18722086906ad3046" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745167360, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVRTL.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258413, + "hashes": { + "imphash": "08a9b8e4e42e5520be662b4663289747", + "md5": "1eac1a8ca6874bf5b15e2efb9a9a7b86", + "sha1": "30cff16f17833aa042d8b6cc32d86c4a39c77c67", + "sha256": "e15ed4fefc3010c213694331ddfdc03767682325c898d773ab243e2dc8b08461" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633100800, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MsftEdit.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258939, + "hashes": { + "imphash": "6ac24d44010fe2db4d5e9e0651b7a3cf", + "md5": "f9959237f106f2b2609e61a290c0652e", + "sha1": "7f7c92c4fe8244a7deac7fed4d5576042bfba29e", + "sha256": "fccc12e5aae1773bf87b1c4bce71d017db1a5a7ac189559058ea1ecc72075a82" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628709888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\werconcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535233, + "hashes": { + "imphash": "cce75846cdf9d74f85e44fc728ee8440", + "md5": "9689a9c7f7c2a1a423cda2c3b43fff65", + "sha1": "ebe6b3066634239a4f62780a8a6e27f33b0afc87", + "sha256": "914ad22d98975578bc14d821f72e8dfce24f2092f9c299d24ebbaf5408fe8b8b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791646994432, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257998, + "hashes": { + "imphash": "6e52c6bdbfd3d257064382284bd4f59c", + "md5": "1484b9ebf567346582de571b0e164ae0", + "sha1": "6b87eb7005fe659f976732307fe12b96747dfc8d", + "sha256": "9862bf22b2e32dabe7a82acee5b4ea1f0a93bdc3c71b20a6a4e568cccd76a7a6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628382208, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\framedynos.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535235, + "hashes": { + "imphash": "64b92457c7762d63f903189058d583ca", + "md5": "7e591867422dc788b9e5bd337a669a08", + "sha1": "3bd1b2a2271d6756351d9b4876193efd8a845da0", + "sha256": "484e6bccdf7adce9a1aacad1bc7c7d7694b9e40fa90d94b14d80c607784f6c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628251136, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wercplsupport.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258497, + "hashes": { + "imphash": "2814c7c81c59e8a913c288a8c72a9c1c", + "md5": "5c29199c9f0ede64f17f268084ec4392", + "sha1": "a767e893427f9b24fe06cbb3a155dd54162a402a", + "sha256": "ea9fd588a8c89399dd287399a912b356a4234cfe418239b227d255749f5ddde2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791652564992, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml6.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534858, + "hashes": { + "imphash": "2ab209fb6a68c8e15483324a442c1c4c", + "md5": "809ae7d4ace06bbcf621e5c504bf6fc8", + "sha1": "c0e2202d99db67a9efa6c67226410ad3c7b657a6", + "sha256": "0baab89fb57468f27446947d75cbd6ddfc92d9b8f040144a12656803b2f7bf65" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722491904, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hcproviders.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258095, + "hashes": { + "imphash": "328b1cd6b239c7c01904019379bede4b", + "md5": "77a8a1791145710c7efe76ea82bf0763", + "sha1": "e421318d7b6d66c9214722c736f5b3d4207acf74", + "sha256": "9488b96e065299d273f9dcc82aa1203b48f0038d4f27324da19e9bfd925ca737" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791627726848, + "mapped_size": 0, + "path": "C:\\Program Files\\Internet Explorer\\ieproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258892, + "hashes": { + "imphash": "ec50511b4e46da8b1a467667a84f8047", + "md5": "9cead32e79a62150fe9f8557e58e008b", + "sha1": "4cbd17b96209b5e2da683382e05cef55f48d6107", + "sha256": "afe4c1725ee94d7de0749ae1495a4e5cc33c369f29b2a589da66ffe27ff9777e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757357056, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SXS.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258896, + "hashes": { + "imphash": "d75a096a9c47b1fd385a268e9c6f2f68", + "md5": "24f4b480f335a6c724af352253c5d98b", + "sha1": "a388cc90338cec7b5eec66e921599de0cc275a2b", + "sha256": "011413b236cad7b78ce0a0eec3e3085d48c7576a3205d025ba6ebfdf590538e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791660232704, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\thumbcache.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2009726976, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258093, + "hashes": { + "imphash": "39d5c5468a8e87803234025334b9dc09", + "md5": "f1115299b9f4c983bc4523b33e3a506c", + "sha1": "639946c23b630798284a92117882990ea31d702e", + "sha256": "01a1d8b3e5cf727f92f4a43d5c5f81022127d58a850d29d3f084ad411efbc9dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791578836992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ieframe.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535131, + "hashes": { + "imphash": "84786d42c8a896b9a971b3c9eb8feb4c", + "md5": "9869a4a10b90546dbd56947839fb4b87", + "sha1": "5d9642f314d62dc5834cbd7950230bad3f85d982", + "sha256": "66c84dcf39d9f6896d55b1623184a028891a0a98abe6044de1d4bad60c3c8d72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791591157760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEACC.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258887, + "hashes": { + "imphash": "e6c083bfcedd032db2c66cd04f74c620", + "md5": "4e81439902079c348b61d7ff027fe147", + "sha1": "4386a5580b459aa4a0701addb753c3f9bf3da6f7", + "sha256": "e652c9ec77745504689532b3c394959f9b5bc29e9c008cb9ee09cda818514fa9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791658594304, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\StructuredQuery.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258589, + "hashes": { + "imphash": "45badcf3f18f69f9f72af5245898d1cb", + "md5": "405f4d32d2185f1f1bd753d8eeaffb3a", + "sha1": "68bc45bac1e1584c789a6b3134bee5a2540f3e56", + "sha256": "cac42c3e09c43be96592b670d70821386014db22d8239a9cfb9e33e54fb5c3d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791656890368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NetworkExplorer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258495, + "hashes": { + "imphash": "cdb39fb77293fb1bb86c2d5980ea8e88", + "md5": "022b05cee68d7826a93aedb4f1eb369e", + "sha1": "e7055d6cacb8c3fae06dc10ad480c8e6b8b7b592", + "sha256": "3b864d1471ed0949b02f1fa251b987185abeaddcbecd44efdbb6a7b7f03ca8bc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791625760768, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml3.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258914, + "hashes": { + "imphash": "6b6c83729fa36b04c301494d1eb07752", + "md5": "bb074f35b49eb2ea416962b596281e1e", + "sha1": "355fdb9e66ffad42144b1b6ec4d8eb357ed05d52", + "sha256": "e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791623598080, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\systemcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722557440, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722295296, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534877, + "hashes": { + "imphash": "3e340766bf7f54e3e9746a945d4dcb71", + "md5": "a77be7cb3222b4fb0ac6c71d1c2698d4", + "sha1": "e68b4e0058fb130c765e5aa98af36e26563809db", + "sha256": "73566223914bf670df6b5931fa213e546713531b10391ed65b5256bbd7abde7f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735926784, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\DSROLE.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258758, + "hashes": { + "imphash": "c888173aa662e52d4b6194ed15819a13", + "md5": "db76db15efc6e4d1153a6c5bc895948d", + "sha1": "00dc6172c4507def32e4a269c08e76ab09abc3fe", + "sha256": "71ddf02c7ee2df66a08f1a2a08da39802c354624880a2be93a706ea7476422a3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690641408, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SPPC.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535243, + "hashes": { + "imphash": "9484a9d0a0e3ef20592c9f66412400a6", + "md5": "666a60f6f5e719856ff6254e0966eff7", + "sha1": "10258e708443bd21997e7a977b5ee36bd758e368", + "sha256": "58c072e7e215991e19c1ca062c476081982f7b9f039714539ae7feb4981c200f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716200448, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258938, + "hashes": { + "imphash": "03a62984ba62616e18740e69949df533", + "md5": "7db5aa22a8a8e5c2d335f44853c1f6de", + "sha1": "add6f6e2b6df5f571d06db724de5c7badad4e775", + "sha256": "a734a20357026c42950394682a52cbc3af956d09f1949e1b4e95467e999bc428" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690051584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbemcomn.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535244, + "hashes": { + "imphash": "6178a249d43f815225b0a9205f1f4f70", + "md5": "718b6f51ab7f6fe2988a36868f9ad3ab", + "sha1": "7cc84a20d6597f58eebabea5489d72239c6e746b", + "sha256": "76141b4e94c2766e2c34cef523092948771a7893212efadbe88d2171b85ff012" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683170304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemsvc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534846, + "hashes": { + "imphash": "c93ca8ec08e734d1b95c2a2d28884c47", + "md5": "a3f5e8ec1316c3e2562b82694a251c9e", + "sha1": "f0cdc2b44e609950ee97d9967c7459055a2af1a8", + "sha256": "f3dc6aa6a9d3b5bbc730668fc52c1d4bb5d515d404578bddd3d4869a7ed58822" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688675328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\fastprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535150, + "hashes": { + "imphash": "29f9ce11d25836037034b49be93790c6", + "md5": "ee26d130808d16c0e417bbbed0451b34", + "sha1": "962d52fb4d8f9965c5fc11a98f2f9048a2a5d918", + "sha256": "4886dce4faef146a40babd492a8000a2022fea542a6135a9bafd4cd09297b4e5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688478720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NTDSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258103, + "hashes": { + "imphash": "ba45ab39c8fb40e4076d27cf8e0f4180", + "md5": "b8509dcfcfd577f568be4026bfd982c0", + "sha1": "1923c5995faf94d9b1767aca04e3134a5cedc07a", + "sha256": "e3608e6de15c400fa437349e7295fef10a1a0213ca3b532a58964b8c89749110" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788355584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imagehlp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "explorer.exe", + "parent_exe": "", + "parent_name": "", + "pid": 784, + "ppid": 704, + "primary_token": { + "domain": "WIN-Q3DOP1UKA81", + "integrity_level": 12288, + "integrity_level_name": "high", + "privileges": [ + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": false, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": false, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": false, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": false, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": false, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Back up files and directories", + "enabled": false, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": false, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": false, + "name": "SeDebugPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Force shutdown from a remote system", + "enabled": false, + "name": "SeRemoteShutdownPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": false, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": false, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": false, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "type": "tokenPrimary", + "user": "Administrator" + }, + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542341500, + "entrypoint": 4279023504, + "thread_id": 1920, + "up_time": 437 + }, + { + "create_time": 1542341500, + "entrypoint": 2008002240, + "thread_id": 1812, + "up_time": 437 + }, + { + "create_time": 1542341500, + "entrypoint": 8791783440744, + "thread_id": 2472, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2468, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791790810108, + "thread_id": 2464, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2476, + "up_time": 435 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 1800, + "up_time": 434 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 2516, + "up_time": 433 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2500, + "up_time": 433 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 1068, + "up_time": 432 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2676, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2660, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2748, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791729529348, + "thread_id": 2636, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2732, + "up_time": 424 + }, + { + "create_time": 1542341500, + "entrypoint": 8791783440744, + "thread_id": 1472, + "up_time": 419 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 2220, + "up_time": 415 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 2332, + "up_time": 104 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3712, + "up_time": 99 + }, + { + "create_time": 1542341800, + "entrypoint": 8791792141832, + "thread_id": 2080, + "up_time": 85 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 4012, + "up_time": 81 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 4060, + "up_time": 81 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 520, + "up_time": 77 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3236, + "up_time": 74 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3260, + "up_time": 72 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3680, + "up_time": 56 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 3708, + "up_time": 55 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 2512, + "up_time": 55 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3748, + "up_time": 54 + }, + { + "create_time": 1542341900, + "entrypoint": 8791690668104, + "thread_id": 3872, + "up_time": 51 + }, + { + "create_time": 1542341900, + "entrypoint": 8791683305488, + "thread_id": 1016, + "up_time": 26 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 3520, + "up_time": 26 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3992, + "up_time": 13 + }, + { + "create_time": 1542341900, + "entrypoint": 8791760904360, + "thread_id": 3604, + "up_time": 12 + } + ], + "unique_pid": 35, + "unique_ppid": 0, + "up_time": 437, + "user": "Administrator" + } + }, + "captured_file": false, + "file_name": "C:\\Users\\Administrator\\Downloads\\endpointpe-blacklist-test.exe", + "file_operation": "open", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 784, + "ppid": 704, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\581ac9e2-e9ea-499e-8ec6-d7eed985b6c3", + "timestamp": { + "accessed": 1542341100, + "created": 1542341100, + "modified": 1542341100 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542341900, + "correlation_id": "9a754fa1-f526-4390-9adf-640cae174f66", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "7b97295f-3aae-4dc8-944f-039f1064c55b", + "origination_task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", + "type": "prevention" + }, + "opcode": 8, + "serial_event_id": 141336, + "timestamp": 132140205750594450, + "timestamp_utc": "2019-09-27 01:16:15Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-c15-bc09190a", + "ip": "10.179.244.14", + "name": "HD-c15-bc09190a", + "os": { + "name": "Windows", + "platform": "windows", + "version": "6.1" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + }, + { + "type": "doc", + "value": { + "id": "9ONEc20BW148Je-ro712", + "index": "test_alert_data", + "source": { + "@timestamp": 1542346435000, + "agent": { + "id": "c89dc040-2350-4d59-baea-9ff2e369136f", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", + "create_time": 1542345900, + "domain": "NT AUTHORITY", + "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "hashes": { + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424710, + "hashes": { + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 5354225664, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2001141760, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1999962112, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752769536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1998913536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791766269952, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758929920, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760175104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791765286912, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761027072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791789010944, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791770726400, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424472, + "hashes": { + "imphash": "a24cfb84e3006f3634d5b09aed45c264", + "md5": "56e6aa240cf6503265fbe5cf4d5889e8", + "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", + "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791706042368, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424450, + "hashes": { + "imphash": "f12460104bb4725d7964cf569f727f61", + "md5": "58017789505c114426b63c775debc12b", + "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", + "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791701979136, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1438071093, + "hashes": { + "imphash": "341d1190606326748a708433d5d0cc36", + "md5": "0a2be3ed5a71082e5f9296f79323a639", + "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", + "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791700799488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\libprotobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcp120.dll", + "publisher_link": "" + }, + "compile_time": 1380942867, + "hashes": { + "imphash": "d0a59246eab41d54812cd63c2326e1f1", + "md5": "46060c35f697281bc5e7337aee3722b1", + "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", + "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791700078592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCP120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcr120.dll", + "publisher_link": "" + }, + "compile_time": 1380942847, + "hashes": { + "imphash": "8f18e22935ef8b336e246ee763fbec97", + "md5": "9c861c079dd81762b6c54e37597b7712", + "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", + "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699095552, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCR120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791767121920, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791769808896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791771971584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756898304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759650816, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725768704, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720460288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720198144, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2003042304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1472978395, + "hashes": { + "imphash": "3a8c832bddbba9333df28c1da212318e", + "md5": "e1c637922e34d868ebcd6ef199cf1394", + "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", + "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791698243584, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791766073344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761944576, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534874, + "hashes": { + "imphash": "621a31b25a9ef1d128ea281b3eab572b", + "md5": "0040c486584a8e582c861cfb57ab5387", + "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", + "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791719346176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\fwpuclnt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748050944, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791772299264, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\shell32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/29/2016 03:22" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1480418473, + "hashes": { + "imphash": "f89e0a919d52e2b37d82d27f521530cf", + "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", + "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", + "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694901248, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715807232, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715676160, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746609152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715545088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791736254464, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/18/2017 09:26" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484760175, + "hashes": { + "imphash": "b33f679b12d9d05d922e720c0e21818c", + "md5": "1e5ea729f6dc5a8aff675a45706d389d", + "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", + "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694245888, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/22/2016 08:08" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1479830743, + "hashes": { + "imphash": "513a166377e008d25aa2e22983dd13ff", + "md5": "3450d998edec5cdbd03b0df09c17e02d", + "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", + "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694114816, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573247, + "hashes": { + "imphash": "d6d5dc292fe4d710905e9f280360309d", + "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", + "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", + "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791693000704, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573248, + "hashes": { + "imphash": "4e1a791e94ac955105ddfaac387de22f", + "md5": "874d6017f89a2ef255a16280ed4b1bf7", + "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", + "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791691427840, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752376320, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "DigiCert Assured ID Code Signing CA-1", + "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/12/2018 01:20" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1512623776, + "hashes": { + "imphash": "e2dab13fa4a67b25d3fbae65a189c521", + "md5": "627d7f1de23e6b01d6251b4c6962e765", + "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", + "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791684612096, + "mapped_size": 0, + "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/13/2017 23:13" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1505278115, + "hashes": { + "imphash": "c2979e6e570392ed85b4e15810f2e90f", + "md5": "3b4c71b64bc20b0c6578a091a031c0fb", + "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", + "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791673536512, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753490432, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752310784, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791680024576, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791749951488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258493, + "hashes": { + "imphash": "466f15f36f10655b30e9347e7dfc2b52", + "md5": "1d5185a4c7e6695431ae4b55c3d7d333", + "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", + "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743463424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\mswsock.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535287, + "hashes": { + "imphash": "f967c6b35a5d1b7765016056a842e331", + "md5": "31559f3244c6bc00a52030caa83b6b91", + "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", + "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791737106432, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wshtcpip.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743856640, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791740710912, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750541312, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257906, + "hashes": { + "imphash": "ff74e3ff0a015c2023b747f613061e42", + "md5": "a52b6cc24063cc83c78c0e6f24deec01", + "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", + "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791741890560, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DNSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791717642240, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791717117952, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534847, + "hashes": { + "imphash": "dda6776607f283829d85b996f5e46d03", + "md5": "f3d202f53a222d5f6944d459b73cf967", + "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", + "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791668686848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\FLTLIB.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791751393280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753228288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "AmSvc.exe", + "parent_exe": "C:\\Windows\\System32\\services.exe", + "parent_name": "services.exe", + "pid": 1084, + "ppid": 436, + "primary_token": { + "domain": "NT AUTHORITY", + "integrity_level": 16384, + "integrity_level_name": "system", + "privileges": [ + { + "description": "Replace a process level token", + "enabled": false, + "name": "SeAssignPrimaryTokenPrivilege" + }, + { + "description": "Lock pages in memory", + "enabled": true, + "name": "SeLockMemoryPrivilege" + }, + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Act as part of the operating system", + "enabled": true, + "name": "SeTcbPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": true, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": true, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": true, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": true, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": true, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Create permanent shared objects", + "enabled": true, + "name": "SeCreatePermanentPrivilege" + }, + { + "description": "Back up files and directories", + "enabled": true, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": true, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": true, + "name": "SeDebugPrivilege" + }, + { + "description": "Generate security audits", + "enabled": true, + "name": "SeAuditPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": true, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": true, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": true, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-18", + "type": "tokenPrimary", + "user": "SYSTEM" + }, + "services": [ + { + "name": "CybereasonAntiMalware" + } + ], + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", + "sid": "S-1-5-18", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542345900, + "entrypoint": 5354476452, + "thread_id": 1088, + "up_time": 601 + }, + { + "create_time": 1542345900, + "entrypoint": 2001252032, + "thread_id": 1116, + "up_time": 600 + }, + { + "create_time": 1542345900, + "entrypoint": 8791691510992, + "thread_id": 1204, + "up_time": 598 + }, + { + "create_time": 1542345900, + "entrypoint": 8791691468912, + "thread_id": 1220, + "up_time": 598 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673571008, + "thread_id": 1392, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673571008, + "thread_id": 1396, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673574320, + "thread_id": 1400, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673638416, + "thread_id": 1404, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 2001271744, + "thread_id": 1520, + "up_time": 584 + }, + { + "create_time": 1542345900, + "entrypoint": 8791699247140, + "thread_id": 1888, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1904, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1908, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1912, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1916, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133872, + "thread_id": 1920, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694132592, + "thread_id": 1924, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133216, + "thread_id": 1928, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694134640, + "thread_id": 1932, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 5354393504, + "thread_id": 1936, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 5354393504, + "thread_id": 1944, + "up_time": 547 + }, + { + "create_time": 1542346000, + "entrypoint": 2001271744, + "thread_id": 2372, + "up_time": 509 + }, + { + "create_time": 1542346400, + "entrypoint": 8791743523392, + "thread_id": 4036, + "up_time": 43 + }, + { + "create_time": 1542346400, + "entrypoint": 8791673712896, + "thread_id": 4040, + "up_time": 43 + }, + { + "create_time": 1542346400, + "entrypoint": 2002168128, + "thread_id": 3372, + "up_time": 28 + } + ], + "unique_pid": 21, + "unique_ppid": 8, + "up_time": 601, + "user": "SYSTEM" + }, + "acting_thread": { + "create_time": 1542345900, + "service_name": "CybereasonAntiMalware", + "thread_id": 1912, + "thread_start_address": 8791694133536, + "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" + } + }, + "captured_file": false, + "file_name": "C:\\Windows\\TEMP\\tmp0000045c\\tmp00001b4a", + "file_operation": "creation", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 1084, + "ppid": 436, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\37c97b4b-6ee8-476c-bfdd-c0cd6783b86d", + "timestamp": { + "accessed": 1542346400, + "created": 1542346400, + "modified": 1542346500 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542346500, + "correlation_id": "2c827da1-f977-42a7-994b-ab7e5cc50329", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "2280efbc-8bdf-49bf-a712-bc44acdf3eaa", + "origination_task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", + "type": "detection" + }, + "opcode": 8, + "serial_event_id": 144711, + "timestamp": 132140207402716480, + "timestamp_utc": "2019-09-27 01:19:00Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-m3z-4c803698", + "ip": "10.176.220.187", + "name": "HD-m3z-4c803698", + "os": { + "name": "Windows", + "platform": "windows", + "version": "10.0" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "c89dc040-2350-4d59-baea-9ff2e369136f" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + } + ] \ No newline at end of file diff --git a/x-pack/plugins/endpoint/server/types.ts b/x-pack/plugins/endpoint/server/types.ts index c6d0e3dea70cf7f..2dc080f27ab7c82 100644 --- a/x-pack/plugins/endpoint/server/types.ts +++ b/x-pack/plugins/endpoint/server/types.ts @@ -52,3 +52,27 @@ export interface EndpointData { }; }; } + +export interface AlertData { + endgame: { + data: { + file_operation: string; + malware_classification: { + score: number; + }; + }; + metadata: { + key: string; + }; + timestamp_utc: Date; + }; + host: { + hostname: string; + ip: string; + os: { + name: string; // TODO Union types? + platform: string; + version: string; + }; + }; +} From b4eee4f58cb24495eb9fcae5074add926a5da061 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Tue, 21 Jan 2020 17:02:59 -0700 Subject: [PATCH 06/10] data feeds in from backend but doesnt update --- x-pack/plugins/endpoint/endpoint_app_types.ts | 32 +++++++++++++++++ .../endpoint/store/{actions.ts => action.ts} | 3 +- .../endpoint/store/alerts/action.ts | 19 ++++++++++ .../endpoint/store/alerts/index.ts | 9 +++++ .../endpoint/store/alerts/middleware.ts | 22 ++++++++++++ .../endpoint/store/alerts/reducer.ts | 25 +++++++++++++ .../endpoint/store/alerts/selectors.ts | 9 +++++ .../endpoint/store/alerts/types.ts | 13 +++++++ .../applications/endpoint/store/index.ts | 5 ++- .../applications/endpoint/store/reducer.ts | 5 ++- .../endpoint/view/alerts/index.tsx | 17 ++++++--- .../resolver/store/camera/action.ts | 2 +- x-pack/plugins/endpoint/server/plugin.ts | 2 ++ .../plugins/endpoint/server/routes/alerts.ts | 36 +++++++++++++++++++ .../alerts => server/routes}/sampledata.json | 0 x-pack/plugins/endpoint/server/types.ts | 24 ------------- 16 files changed, 191 insertions(+), 32 deletions(-) create mode 100644 x-pack/plugins/endpoint/endpoint_app_types.ts rename x-pack/plugins/endpoint/public/applications/endpoint/store/{actions.ts => action.ts} (75%) create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts create mode 100644 x-pack/plugins/endpoint/server/routes/alerts.ts rename x-pack/plugins/endpoint/{public/applications/endpoint/view/alerts => server/routes}/sampledata.json (100%) diff --git a/x-pack/plugins/endpoint/endpoint_app_types.ts b/x-pack/plugins/endpoint/endpoint_app_types.ts new file mode 100644 index 000000000000000..4f35a38f44b5c38 --- /dev/null +++ b/x-pack/plugins/endpoint/endpoint_app_types.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export interface AlertData { + endgame: { + data: { + file_operation: string; + malware_classification: { + score: number; + }; + }; + metadata: { + key: string; + }; + timestamp_utc: Date; + }; + labels: { + endpoint_id: string; + }; + host: { + hostname: string; + ip: string; + os: { + name: string; // TODO Union types? + platform: string; + version: string; + }; + }; +} diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts similarity index 75% rename from x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts rename to x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts index 796dabce1d76ac9..63555c75bd3d381 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts @@ -5,5 +5,6 @@ */ import { EndpointListAction } from './endpoint_list'; +import { AlertAction } from './alerts'; -export type AppAction = EndpointListAction; +export type AppAction = EndpointListAction | AlertAction; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts new file mode 100644 index 000000000000000..4cc8904fcc347a9 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertData } from '../../../../../endpoint_app_types'; + +interface AppRequestedAlertsData { + readonly type: 'appRequestedAlertsData'; +} + +interface ServerReturnedAlertsData { + readonly type: 'serverReturnedAlertsData'; + + readonly payload: AlertData[]; +} + +export type AlertAction = AppRequestedAlertsData | ServerReturnedAlertsData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts new file mode 100644 index 000000000000000..4b935d22650dc3b --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export { alertListReducer } from './reducer'; +export { AlertAction } from './action'; +export * from './types'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts new file mode 100644 index 000000000000000..6ba17d0c661a912 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { Middleware, Dispatch } from 'redux'; +import { CoreStart } from 'kibana/public'; +import { GlobalState } from '../reducer'; +import { AppAction } from '../action'; + +export const alertMiddlewareFactory: ( + coreStart: CoreStart +) => Middleware<{}, GlobalState, Dispatch> = coreStart => { + return store => next => async action => { + next(action); + if (action.type === 'appRequestedAlertsData') { + const response = await coreStart.http.get('/api/endpoint/alerts'); + store.dispatch({ type: 'serverReturnedAlertsData', payload: response }); + } + }; +}; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts new file mode 100644 index 000000000000000..1af9c4f4470dfad --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertListState } from './types'; +import { AlertAction } from './action'; + +const initialState = (): AlertListState => { + return { + alerts: [], + }; +}; + +export const alertListReducer = (state = initialState(), action: AlertAction) => { + if (action.type === 'serverReturnedAlertsData') { + return { + ...state, + alerts: action.payload, + }; + } + + return state; +}; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts new file mode 100644 index 000000000000000..47269f86fdaab3b --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertListState } from './types'; + +export const alertListData = (state: AlertListState) => state.alerts; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts new file mode 100644 index 000000000000000..0a6eff1a5c800f9 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertData } from '../../../../../endpoint_app_types'; + +export interface AlertListData { + alerts: AlertData[]; +} + +export type AlertListState = AlertListData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts index bfa1385b9f0ac0e..bca96e72d1ab093 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts @@ -8,6 +8,7 @@ import { createStore, compose, applyMiddleware, Store } from 'redux'; import { CoreStart } from 'kibana/public'; import { appSagaFactory } from './saga'; import { appReducer } from './reducer'; +import { alertMiddlewareFactory } from './alerts/middleware'; export { GlobalState } from './reducer'; @@ -19,7 +20,9 @@ export const appStoreFactory = (coreStart: CoreStart): [Store, () => void] => { const sagaReduxMiddleware = appSagaFactory(coreStart); const store = createStore( appReducer, - composeWithReduxDevTools(applyMiddleware(sagaReduxMiddleware)) + composeWithReduxDevTools( + applyMiddleware(alertMiddlewareFactory(coreStart), appSagaFactory(coreStart)) + ) ); sagaReduxMiddleware.start(); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts index 59ca4de91ac8349..ffb20099b10baed 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts @@ -5,12 +5,15 @@ */ import { combineReducers, Reducer } from 'redux'; import { endpointListReducer, EndpointListState } from './endpoint_list'; -import { AppAction } from './actions'; +import { AppAction } from './action'; +import { AlertListState, alertListReducer } from './alerts'; export interface GlobalState { endpointList: EndpointListState; + alertList: AlertListState; } export const appReducer: Reducer = combineReducers({ endpointList: endpointListReducer, + alertList: alertListReducer, }); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx index 331c38a672aeae7..f2f734b131be04e 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -7,7 +7,9 @@ import { memo, useState, useMemo } from 'react'; import React from 'react'; import { EuiDataGrid } from '@elastic/eui'; -import json from './sampledata.json'; +import { useDispatch, useSelector } from 'react-redux'; +import { AlertAction } from '../../store/alerts/action'; +import * as selectors from '../../store/alerts/selectors'; export const AlertIndex = memo(() => { const columns: Array<{ id: string }> = [ @@ -23,8 +25,16 @@ export const AlertIndex = memo(() => { const [visibleColumns, setVisibleColumns] = useState(() => columns.map(({ id }) => id)); + const dispatch: (action: AlertAction) => unknown = useDispatch(); + dispatch({ type: 'appRequestedAlertsData' }); + + const json = useSelector(selectors.alertListData); + const renderCellValue = useMemo(() => { return ({ rowIndex, columnId }: { rowIndex: number; columnId: string }) => { + if (json === undefined) { + return null; + } if (columnId === 'alert_type') { return json[rowIndex].value.source.endgame.metadata.key; } else if (columnId === 'event_type') { @@ -44,13 +54,12 @@ export const AlertIndex = memo(() => { } return ''; }; - }, []); + }, [json]); return ( { + try { + // const queryParams = await kibanaRequestToEndpointListQuery(req, endpointAppContext); + // const response = (await context.core.elasticsearch.dataClient.callAsCurrentUser( + // 'search', + // queryParams + // )) as SearchResponse; + return res.ok({ + body: json, + headers: { + 'Content-Type': 'application/json', + }, + }); + } catch (err) { + return res.internalError({ body: err }); + } + } + ); +} diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json b/x-pack/plugins/endpoint/server/routes/sampledata.json similarity index 100% rename from x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/sampledata.json rename to x-pack/plugins/endpoint/server/routes/sampledata.json diff --git a/x-pack/plugins/endpoint/server/types.ts b/x-pack/plugins/endpoint/server/types.ts index 2dc080f27ab7c82..c6d0e3dea70cf7f 100644 --- a/x-pack/plugins/endpoint/server/types.ts +++ b/x-pack/plugins/endpoint/server/types.ts @@ -52,27 +52,3 @@ export interface EndpointData { }; }; } - -export interface AlertData { - endgame: { - data: { - file_operation: string; - malware_classification: { - score: number; - }; - }; - metadata: { - key: string; - }; - timestamp_utc: Date; - }; - host: { - hostname: string; - ip: string; - os: { - name: string; // TODO Union types? - platform: string; - version: string; - }; - }; -} From 38b513af0d15a770d5750e065194bfe7b9f25042 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Wed, 22 Jan 2020 13:38:11 -0700 Subject: [PATCH 07/10] sample data feeding in correctly --- x-pack/plugins/endpoint/endpoint_app_types.ts | 44 ++++++++++--------- .../endpoint/store/alerts/middleware.ts | 3 +- .../endpoint/store/alerts/reducer.ts | 8 +++- .../endpoint/store/alerts/selectors.ts | 2 + .../endpoint/store/endpoint_list/reducer.ts | 7 ++- .../applications/endpoint/store/reducer.ts | 1 + .../applications/endpoint/store/selectors.ts | 32 ++++++++++++++ .../endpoint/view/alerts/index.tsx | 18 +++++--- 8 files changed, 83 insertions(+), 32 deletions(-) create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts diff --git a/x-pack/plugins/endpoint/endpoint_app_types.ts b/x-pack/plugins/endpoint/endpoint_app_types.ts index 4f35a38f44b5c38..7dabf7cfdab1911 100644 --- a/x-pack/plugins/endpoint/endpoint_app_types.ts +++ b/x-pack/plugins/endpoint/endpoint_app_types.ts @@ -5,28 +5,30 @@ */ export interface AlertData { - endgame: { - data: { - file_operation: string; - malware_classification: { - score: number; + value: { + source: { + endgame: { + data: { + file_operation: string; + malware_classification: { + score: number; + }; + }; + metadata: { + key: string; + }; + timestamp_utc: Date; + }; + labels: { + endpoint_id: string; + }; + host: { + hostname: string; + ip: string; + os: { + name: string; // TODO Union types? + }; }; - }; - metadata: { - key: string; - }; - timestamp_utc: Date; - }; - labels: { - endpoint_id: string; - }; - host: { - hostname: string; - ip: string; - os: { - name: string; // TODO Union types? - platform: string; - version: string; }; }; } diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts index 6ba17d0c661a912..4432bc30681ae3c 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -6,6 +6,7 @@ import { Middleware, Dispatch } from 'redux'; import { CoreStart } from 'kibana/public'; +import { AlertData } from '../../../../../endpoint_app_types'; import { GlobalState } from '../reducer'; import { AppAction } from '../action'; @@ -15,7 +16,7 @@ export const alertMiddlewareFactory: ( return store => next => async action => { next(action); if (action.type === 'appRequestedAlertsData') { - const response = await coreStart.http.get('/api/endpoint/alerts'); + const response: AlertData[] = await coreStart.http.get('/api/endpoint/alerts'); store.dispatch({ type: 'serverReturnedAlertsData', payload: response }); } }; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts index 1af9c4f4470dfad..d06fd313ac1a3d7 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts @@ -4,8 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ +import { Reducer } from 'react'; import { AlertListState } from './types'; -import { AlertAction } from './action'; +import { AppAction } from '../action'; const initialState = (): AlertListState => { return { @@ -13,7 +14,10 @@ const initialState = (): AlertListState => { }; }; -export const alertListReducer = (state = initialState(), action: AlertAction) => { +export const alertListReducer: Reducer = ( + state = initialState(), + action +) => { if (action.type === 'serverReturnedAlertsData') { return { ...state, diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts index 47269f86fdaab3b..95c988387eb3446 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts @@ -4,6 +4,8 @@ * you may not use this file except in compliance with the Elastic License. */ +import { createSelector } from 'reselect'; +import { AlertData } from '../../../../../endpoint_app_types'; import { AlertListState } from './types'; export const alertListData = (state: AlertListState) => state.alerts; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts index 9813777c988ef01..9747fc6aa2ce852 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts @@ -4,8 +4,10 @@ * you may not use this file except in compliance with the Elastic License. */ +import { Reducer } from 'react'; import { EndpointListState } from './types'; import { EndpointListAction } from './action'; +import { AppAction } from '../action'; const initialState = (): EndpointListState => { return { @@ -16,7 +18,10 @@ const initialState = (): EndpointListState => { }; }; -export const endpointListReducer = (state = initialState(), action: EndpointListAction) => { +export const endpointListReducer: Reducer = ( + state = initialState(), + action +) => { if (action.type === 'serverReturnedEndpointList') { return { ...state, diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts index ffb20099b10baed..15aa4e1e3b778fd 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts @@ -14,6 +14,7 @@ export interface GlobalState { } export const appReducer: Reducer = combineReducers({ + // TODO FIX THIS endpointList: endpointListReducer, alertList: alertListReducer, }); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts new file mode 100644 index 000000000000000..cf34784f9146682 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { GlobalState } from './reducer'; +import * as alertListSelectors from './alerts/selectors'; + +export const alertListData = composeSelectors( + alertListStateSelector, + alertListSelectors.alertListData +); + +/** + * Returns the alert list state from within Global State + */ +function alertListStateSelector(state: GlobalState) { + return state.alertList; +} + +// TODO abstract this its in two places +/** + * Calls the `secondSelector` with the result of the `selector`. Use this when re-exporting a + * concern-specific selector. `selector` should return the concern-specific state. + */ +function composeSelectors( + selector: (state: OuterState) => InnerState, + secondSelector: (state: InnerState) => ReturnValue +): (state: OuterState) => ReturnValue { + return state => secondSelector(selector(state)); +} diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx index f2f734b131be04e..007f886f84b2f71 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -4,12 +4,12 @@ * you may not use this file except in compliance with the Elastic License. */ -import { memo, useState, useMemo } from 'react'; +import { memo, useState, useMemo, useEffect } from 'react'; import React from 'react'; import { EuiDataGrid } from '@elastic/eui'; import { useDispatch, useSelector } from 'react-redux'; import { AlertAction } from '../../store/alerts/action'; -import * as selectors from '../../store/alerts/selectors'; +import * as selectors from '../../store/selectors'; export const AlertIndex = memo(() => { const columns: Array<{ id: string }> = [ @@ -26,15 +26,19 @@ export const AlertIndex = memo(() => { const [visibleColumns, setVisibleColumns] = useState(() => columns.map(({ id }) => id)); const dispatch: (action: AlertAction) => unknown = useDispatch(); - dispatch({ type: 'appRequestedAlertsData' }); + + useEffect(() => { + dispatch({ type: 'appRequestedAlertsData' }); + }, [dispatch]); const json = useSelector(selectors.alertListData); const renderCellValue = useMemo(() => { return ({ rowIndex, columnId }: { rowIndex: number; columnId: string }) => { - if (json === undefined) { + if (json.length === 0) { return null; } + if (columnId === 'alert_type') { return json[rowIndex].value.source.endgame.metadata.key; } else if (columnId === 'event_type') { @@ -52,14 +56,14 @@ export const AlertIndex = memo(() => { } else if (columnId === 'malware_score') { return json[rowIndex].value.source.endgame.data.malware_classification.score; } - return ''; + return null; }; }, [json]); return ( Date: Thu, 23 Jan 2020 10:59:51 -0500 Subject: [PATCH 08/10] Fix combineReducers issue by importing Redux type from 'redux' package --- .../public/applications/endpoint/store/alerts/reducer.ts | 2 +- .../public/applications/endpoint/store/alerts/selectors.ts | 2 -- .../public/applications/endpoint/store/alerts/types.ts | 4 +--- .../applications/endpoint/store/endpoint_list/reducer.ts | 2 +- .../endpoint/public/applications/endpoint/store/reducer.ts | 5 ++--- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts index d06fd313ac1a3d7..34b2f017740af7c 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ -import { Reducer } from 'react'; +import { Reducer } from 'redux'; import { AlertListState } from './types'; import { AppAction } from '../action'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts index 95c988387eb3446..47269f86fdaab3b 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts @@ -4,8 +4,6 @@ * you may not use this file except in compliance with the Elastic License. */ -import { createSelector } from 'reselect'; -import { AlertData } from '../../../../../endpoint_app_types'; import { AlertListState } from './types'; export const alertListData = (state: AlertListState) => state.alerts; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts index 0a6eff1a5c800f9..d08795d512e209e 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/types.ts @@ -6,8 +6,6 @@ import { AlertData } from '../../../../../endpoint_app_types'; -export interface AlertListData { +export interface AlertListState { alerts: AlertData[]; } - -export type AlertListState = AlertListData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts index 9747fc6aa2ce852..241c6f69ec6b7bf 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ -import { Reducer } from 'react'; +import { Reducer } from 'redux'; import { EndpointListState } from './types'; import { EndpointListAction } from './action'; import { AppAction } from '../action'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts index 15aa4e1e3b778fd..9e93d35af9790ce 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts @@ -9,12 +9,11 @@ import { AppAction } from './action'; import { AlertListState, alertListReducer } from './alerts'; export interface GlobalState { - endpointList: EndpointListState; - alertList: AlertListState; + readonly endpointList: EndpointListState; + readonly alertList: AlertListState; } export const appReducer: Reducer = combineReducers({ - // TODO FIX THIS endpointList: endpointListReducer, alertList: alertListReducer, }); From 62d158b6894f185145077c61e358f61db4566628 Mon Sep 17 00:00:00 2001 From: Pedro Jaramillo Date: Thu, 23 Jan 2020 17:11:11 -0500 Subject: [PATCH 09/10] Add usePageId hook that fires action when user navigates to page --- x-pack/plugins/endpoint/endpoint_app_types.ts | 2 ++ .../applications/endpoint/store/action.ts | 3 ++- .../endpoint/store/alerts/action.ts | 6 +----- .../endpoint/store/alerts/middleware.ts | 2 +- .../endpoint/store/routing/action.ts | 15 ++++++++++++++ .../endpoint/store/routing/index.ts | 7 +++++++ .../applications/endpoint/store/selectors.ts | 1 - .../endpoint/view/alerts/index.tsx | 11 ++++------ .../applications/endpoint/view/use_page_id.ts | 20 +++++++++++++++++++ 9 files changed, 52 insertions(+), 15 deletions(-) create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts create mode 100644 x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts diff --git a/x-pack/plugins/endpoint/endpoint_app_types.ts b/x-pack/plugins/endpoint/endpoint_app_types.ts index 7dabf7cfdab1911..eeae0ea5b15f2cf 100644 --- a/x-pack/plugins/endpoint/endpoint_app_types.ts +++ b/x-pack/plugins/endpoint/endpoint_app_types.ts @@ -32,3 +32,5 @@ export interface AlertData { }; }; } + +export type PageId = 'alertsPage' | 'endpointListPage'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts index 63555c75bd3d381..593041af75c05ae 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts @@ -6,5 +6,6 @@ import { EndpointListAction } from './endpoint_list'; import { AlertAction } from './alerts'; +import { RoutingAction } from './routing'; -export type AppAction = EndpointListAction | AlertAction; +export type AppAction = EndpointListAction | AlertAction | RoutingAction; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts index 4cc8904fcc347a9..20a123218c751e5 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts @@ -6,14 +6,10 @@ import { AlertData } from '../../../../../endpoint_app_types'; -interface AppRequestedAlertsData { - readonly type: 'appRequestedAlertsData'; -} - interface ServerReturnedAlertsData { readonly type: 'serverReturnedAlertsData'; readonly payload: AlertData[]; } -export type AlertAction = AppRequestedAlertsData | ServerReturnedAlertsData; +export type AlertAction = ServerReturnedAlertsData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts index 4432bc30681ae3c..9b377ec63e71f65 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -15,7 +15,7 @@ export const alertMiddlewareFactory: ( ) => Middleware<{}, GlobalState, Dispatch> = coreStart => { return store => next => async action => { next(action); - if (action.type === 'appRequestedAlertsData') { + if (action.type === 'userNavigatedToPage' && action.payload === 'alertsPage') { const response: AlertData[] = await coreStart.http.get('/api/endpoint/alerts'); store.dispatch({ type: 'serverReturnedAlertsData', payload: response }); } diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts new file mode 100644 index 000000000000000..082564af358866e --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { PageId } from '../../../../../endpoint_app_types'; + +interface UserNavigatedToPage { + readonly type: 'userNavigatedToPage'; + + readonly payload: PageId; +} + +export type RoutingAction = UserNavigatedToPage; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts new file mode 100644 index 000000000000000..68fd04d6a835537 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export { RoutingAction } from './action'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts index cf34784f9146682..70f3e5af3b77955 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts @@ -19,7 +19,6 @@ function alertListStateSelector(state: GlobalState) { return state.alertList; } -// TODO abstract this its in two places /** * Calls the `secondSelector` with the result of the `selector`. Use this when re-exporting a * concern-specific selector. `selector` should return the concern-specific state. diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx index 007f886f84b2f71..f33cf718ea9c007 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -4,14 +4,17 @@ * you may not use this file except in compliance with the Elastic License. */ -import { memo, useState, useMemo, useEffect } from 'react'; +import { memo, useState, useMemo } from 'react'; import React from 'react'; import { EuiDataGrid } from '@elastic/eui'; import { useDispatch, useSelector } from 'react-redux'; import { AlertAction } from '../../store/alerts/action'; import * as selectors from '../../store/selectors'; +import { usePageId } from '../use_page_id'; export const AlertIndex = memo(() => { + usePageId('alertsPage'); + const columns: Array<{ id: string }> = [ { id: 'alert_type' }, { id: 'event_type' }, @@ -25,12 +28,6 @@ export const AlertIndex = memo(() => { const [visibleColumns, setVisibleColumns] = useState(() => columns.map(({ id }) => id)); - const dispatch: (action: AlertAction) => unknown = useDispatch(); - - useEffect(() => { - dispatch({ type: 'appRequestedAlertsData' }); - }, [dispatch]); - const json = useSelector(selectors.alertListData); const renderCellValue = useMemo(() => { diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts b/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts new file mode 100644 index 000000000000000..43c1597bc51610b --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { useEffect } from 'react'; +import { useDispatch } from 'react-redux'; +import { PageId } from '../../../../endpoint_app_types'; +import { RoutingAction } from '../store/routing'; + +/** + * Dispatches a 'userNavigatedToPage' action with the given 'pageId' as the action payload + */ +export function usePageId(pageId: PageId) { + const dispatch: (action: RoutingAction) => unknown = useDispatch(); + useEffect(() => { + dispatch({ type: 'userNavigatedToPage', payload: pageId }); + }, [dispatch, pageId]); +} From 03e374fc3a19a6800df23af0364022614251a135 Mon Sep 17 00:00:00 2001 From: Pedro Jaramillo Date: Fri, 24 Jan 2020 11:49:21 -0500 Subject: [PATCH 10/10] Strict typing for middleware --- .../endpoint/store/alerts/middleware.ts | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts index 9b377ec63e71f65..e681f3641fc9b15 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -4,16 +4,21 @@ * you may not use this file except in compliance with the Elastic License. */ -import { Middleware, Dispatch } from 'redux'; +import { Dispatch, MiddlewareAPI } from 'redux'; import { CoreStart } from 'kibana/public'; import { AlertData } from '../../../../../endpoint_app_types'; import { GlobalState } from '../reducer'; import { AppAction } from '../action'; -export const alertMiddlewareFactory: ( +// TODO, move this somewhere +type MiddlewareFactory = ( coreStart: CoreStart -) => Middleware<{}, GlobalState, Dispatch> = coreStart => { - return store => next => async action => { +) => ( + api: MiddlewareAPI, GlobalState> +) => (next: Dispatch) => (action: AppAction) => unknown; + +export const alertMiddlewareFactory: MiddlewareFactory = coreStart => { + return store => next => async (action: AppAction) => { next(action); if (action.type === 'userNavigatedToPage' && action.payload === 'alertsPage') { const response: AlertData[] = await coreStart.http.get('/api/endpoint/alerts');