diff --git a/x-pack/plugins/endpoint/common/types.ts b/x-pack/plugins/endpoint/common/types.ts index 5e69aa0d18b680..0128cd3dd6df7c 100644 --- a/x-pack/plugins/endpoint/common/types.ts +++ b/x-pack/plugins/endpoint/common/types.ts @@ -23,20 +23,72 @@ export type ImmutableSet = ReadonlySet>; export type ImmutableObject = { readonly [K in keyof T]: Immutable }; export class EndpointAppConstants { + static ALERT_INDEX_NAME = 'my-index'; static ENDPOINT_INDEX_NAME = 'endpoint-agent*'; } +export interface AlertResultList { + /** + * The alerts restricted by page size. + */ + alerts: AlertData[]; + + /** + * The total number of alerts on the page. + */ + total: number; + + /** + * The size of the requested page. + */ + request_page_size: number; + + /** + * The index of the requested page, starting at 0. + */ + request_page_index: number; + + /** + * The offset of the requested page, starting at 0. + */ + result_from_index: number; +} + export interface EndpointResultList { - // the endpoint restricted by the page size + /* the endpoints restricted by the page size */ endpoints: EndpointMetadata[]; - // the total number of unique endpoints in the index + /* the total number of unique endpoints in the index */ total: number; - // the page size requested + /* the page size requested */ request_page_size: number; - // the index requested + /* the page index requested */ request_page_index: number; } +export interface AlertData { + '@timestamp': Date; + agent: { + id: string; + version: string; + }; + event: { + action: string; + }; + file_classification: { + malware_classification: { + score: number; + }; + }; + host: { + hostname: string; + ip: string; + os: { + name: string; + }; + }; + thread: {}; +} + export interface EndpointMetadata { event: { created: Date; @@ -63,35 +115,6 @@ export interface EndpointMetadata { }; } -export interface AlertData { - value: { - source: { - endgame: { - data: { - file_operation: string; - malware_classification: { - score: number; - }; - }; - metadata: { - key: string; - }; - timestamp_utc: Date; - }; - labels: { - endpoint_id: string; - }; - host: { - hostname: string; - ip: string; - os: { - name: string; - }; - }; - }; - }; -} - /** * The PageId type is used for the payload when firing userNavigatedToPage actions */ diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts index 431b0d8d6fcf8d..464a04eff5ebda 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts @@ -4,11 +4,11 @@ * you may not use this file except in compliance with the Elastic License. */ -import { AlertData, Immutable } from '../../../../../common/types'; +import { AlertListData } from '../../types'; -type ServerReturnedAlertsData = Immutable<{ +interface ServerReturnedAlertsData { type: 'serverReturnedAlertsData'; - payload: AlertData[]; -}>; + payload: AlertListData; +} export type AlertAction = ServerReturnedAlertsData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts index 5545218d9abd6b..f63910a1c305ef 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts @@ -6,3 +6,4 @@ export { alertListReducer } from './reducer'; export { AlertAction } from './action'; +export * from '../../types'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts index 00ba8eddf9e67a..aede95ceb3759d 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -4,15 +4,20 @@ * you may not use this file except in compliance with the Elastic License. */ -import { AlertData, ImmutableArray } from '../../../../../common/types'; +import qs from 'querystring'; +import { HttpFetchQuery } from 'src/core/public'; import { AppAction } from '../action'; import { MiddlewareFactory } from '../../types'; export const alertMiddlewareFactory: MiddlewareFactory = coreStart => { + const qp = qs.parse(window.location.search.slice(1)); + return api => next => async (action: AppAction) => { next(action); if (action.type === 'userNavigatedToPage' && action.payload === 'alertsPage') { - const response: ImmutableArray = await coreStart.http.get('/api/endpoint/alerts'); + const response = await coreStart.http.get('/api/endpoint/alerts', { + query: qp as HttpFetchQuery, + }); api.dispatch({ type: 'serverReturnedAlertsData', payload: response }); } }; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts index 4ad815ee10b232..fd74abe9e34329 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts @@ -11,6 +11,10 @@ import { AppAction } from '../action'; const initialState = (): AlertListState => { return { alerts: [], + request_page_size: 10, + request_page_index: 0, + result_from_index: 0, + total: 0, }; }; @@ -21,7 +25,7 @@ export const alertListReducer: Reducer = ( if (action.type === 'serverReturnedAlertsData') { return { ...state, - alerts: action.payload, + alerts: action.payload.alerts, }; } diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts index 525983c9f8523c..5f02d36308053d 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts @@ -6,9 +6,9 @@ import { Dispatch, MiddlewareAPI } from 'redux'; import { CoreStart } from 'kibana/public'; -import { Immutable, AlertData } from '../../../common/types'; import { EndpointListState } from './store/endpoint_list'; import { AppAction } from './store/action'; +import { AlertResultList } from '../../../common/types'; export type MiddlewareFactory = ( coreStart: CoreStart @@ -16,11 +16,10 @@ export type MiddlewareFactory = ( api: MiddlewareAPI, GlobalState> ) => (next: Dispatch) => (action: AppAction) => unknown; -export type AlertListState = Immutable<{ - alerts: AlertData[]; -}>; - export interface GlobalState { readonly endpointList: EndpointListState; readonly alertList: AlertListState; } + +export type AlertListData = AlertResultList; +export type AlertListState = AlertResultList; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx index dcb324e3597c24..8c32426dcc8681 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -8,6 +8,7 @@ import { memo, useState, useMemo } from 'react'; import React from 'react'; import { EuiDataGrid } from '@elastic/eui'; import { useSelector } from 'react-redux'; +import { i18n } from '@kbn/i18n'; import * as selectors from '../../store/selectors'; import { usePageId } from '../use_page_id'; @@ -40,21 +41,26 @@ export const AlertIndex = memo(() => { const row = json[rowIndex]; if (columnId === 'alert_type') { - return row.value.source.endgame.metadata.key; + return i18n.translate( + 'xpack.endpoint.application.endpoint.alerts.alertType.maliciousFileDescription', + { + defaultMessage: 'Malicious File', + } + ); } else if (columnId === 'event_type') { - return row.value.source.endgame.data.file_operation; + return row.event.action; } else if (columnId === 'os') { - return row.value.source.host.os.name; + return row.host.os.name; } else if (columnId === 'ip_address') { - return row.value.source.host.ip; + return row.host.ip; } else if (columnId === 'host_name') { - return row.value.source.host.hostname; + return row.host.hostname; } else if (columnId === 'timestamp') { - return row.value.source.endgame.timestamp_utc; + return row['@timestamp']; } else if (columnId === 'archived') { return null; } else if (columnId === 'malware_score') { - return row.value.source.endgame.data.malware_classification.score; + return row.file_classification.malware_classification.score; } return null; }; diff --git a/x-pack/plugins/endpoint/server/config.ts b/x-pack/plugins/endpoint/server/config.ts index 3f9a8a5508dd8d..7ce5ebcf4eba90 100644 --- a/x-pack/plugins/endpoint/server/config.ts +++ b/x-pack/plugins/endpoint/server/config.ts @@ -15,6 +15,8 @@ export const EndpointConfigSchema = schema.object({ enabled: schema.boolean({ defaultValue: false }), endpointResultListDefaultFirstPageIndex: schema.number({ defaultValue: 0 }), endpointResultListDefaultPageSize: schema.number({ defaultValue: 10 }), + alertResultListDefaultFirstPageIndex: schema.number({ defaultValue: 0 }), + alertResultListDefaultPageSize: schema.number({ defaultValue: 10 }), }); export function createConfig$(context: PluginInitializerContext) { diff --git a/x-pack/plugins/endpoint/server/plugin.ts b/x-pack/plugins/endpoint/server/plugin.ts index 1f34ba1d36d972..3fed4ca480b857 100644 --- a/x-pack/plugins/endpoint/server/plugin.ts +++ b/x-pack/plugins/endpoint/server/plugin.ts @@ -69,7 +69,7 @@ export class EndpointPlugin const router = core.http.createRouter(); addRoutes(router); registerEndpointRoutes(router, endpointContext); - registerAlertRoutes(router); + registerAlertRoutes(router, endpointContext); } public start() { diff --git a/x-pack/plugins/endpoint/server/routes/alerts.test.ts b/x-pack/plugins/endpoint/server/routes/alerts.test.ts new file mode 100644 index 00000000000000..e6bd9b8888ef70 --- /dev/null +++ b/x-pack/plugins/endpoint/server/routes/alerts.test.ts @@ -0,0 +1,191 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { + IClusterClient, + IRouter, + IScopedClusterClient, + KibanaResponseFactory, + RequestHandler, + RequestHandlerContext, + RouteConfig, +} from 'kibana/server'; +import { + elasticsearchServiceMock, + httpServerMock, + httpServiceMock, + loggingServiceMock, +} from '../../../../../src/core/server/mocks'; +import { AlertData, AlertResultList } from '../../common/types'; +import { SearchResponse } from 'elasticsearch'; +import { reqSchema, registerAlertRoutes } from './alerts'; +import { EndpointConfigSchema } from '../config'; +import * as data from '../test_data/all_alerts_data.json'; +import * as dataLegacy from '../test_data/all_alerts_data_legacy.json'; + +describe('test alerts route', () => { + let routerMock: jest.Mocked; + let mockResponse: jest.Mocked; + let mockClusterClient: jest.Mocked; + let mockScopedClient: jest.Mocked; + let routeHandler: RequestHandler; + let routeConfig: RouteConfig; + + beforeEach(() => { + mockClusterClient = elasticsearchServiceMock.createClusterClient(); + mockScopedClient = elasticsearchServiceMock.createScopedClusterClient(); + mockClusterClient.asScoped.mockReturnValue(mockScopedClient); + routerMock = httpServiceMock.createRouter(); + mockResponse = httpServerMock.createResponseFactory(); + registerAlertRoutes(routerMock, { + logFactory: loggingServiceMock.create(), + config: () => Promise.resolve(EndpointConfigSchema.validate({})), + }); + }); + + it('should correctly calculate legacy alert total', async () => { + const mockRequest = httpServerMock.createKibanaRequest({}); + + const response: SearchResponse = (dataLegacy as unknown) as SearchResponse< + AlertData + >; + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); + [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => + path.startsWith('/api/endpoint/alerts') + )!; + + await routeHandler( + ({ + core: { + elasticsearch: { + dataClient: mockScopedClient, + }, + }, + } as unknown) as RequestHandlerContext, + mockRequest, + mockResponse + ); + + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); + expect(routeConfig.options).toEqual({ authRequired: true }); + expect(mockResponse.ok).toBeCalled(); + const alertResultList = mockResponse.ok.mock.calls[0][0]?.body as AlertResultList; + expect(alertResultList.total).toEqual(21); + expect(alertResultList.request_page_index).toEqual(0); + expect(alertResultList.result_from_index).toEqual(0); + expect(alertResultList.request_page_size).toEqual(10); + }); + + it('should return the latest of all alerts', async () => { + const mockRequest = httpServerMock.createKibanaRequest({}); + + const response: SearchResponse = (data as unknown) as SearchResponse; + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(response)); + [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => + path.startsWith('/api/endpoint/alerts') + )!; + + await routeHandler( + ({ + core: { + elasticsearch: { + dataClient: mockScopedClient, + }, + }, + } as unknown) as RequestHandlerContext, + mockRequest, + mockResponse + ); + + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); + expect(routeConfig.options).toEqual({ authRequired: true }); + expect(mockResponse.ok).toBeCalled(); + const alertResultList = mockResponse.ok.mock.calls[0][0]?.body as AlertResultList; + expect(alertResultList.total).toEqual(21); + expect(alertResultList.request_page_index).toEqual(0); + expect(alertResultList.result_from_index).toEqual(0); + expect(alertResultList.request_page_size).toEqual(10); + }); + + it('should return alert results according to pagination params -- POST', async () => { + const mockRequest = httpServerMock.createKibanaRequest({ + method: 'post', + body: { + page_size: 6, + page_index: 3, + }, + }); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(data)); + [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => + path.startsWith('/api/endpoint/alerts') + )!; + + await routeHandler( + ({ + core: { + elasticsearch: { + dataClient: mockScopedClient, + }, + }, + } as unknown) as RequestHandlerContext, + mockRequest, + mockResponse + ); + + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); + expect(routeConfig.options).toEqual({ authRequired: true }); + expect(mockResponse.ok).toBeCalled(); + const alertResultList = mockResponse.ok.mock.calls[0][0]?.body as AlertResultList; + expect(alertResultList.total).toEqual(21); + expect(alertResultList.request_page_index).toEqual(3); + expect(alertResultList.result_from_index).toEqual(18); + expect(alertResultList.request_page_size).toEqual(6); + }); + + it('should return alert results according to pagination params -- GET', async () => { + const mockRequest = httpServerMock.createKibanaRequest({ + path: '/api/endpoint/alerts', + query: { + page_size: 3, + page_index: 2, + }, + }); + mockScopedClient.callAsCurrentUser.mockImplementationOnce(() => Promise.resolve(data)); + [routeConfig, routeHandler] = routerMock.get.mock.calls.find(([{ path }]) => + path.startsWith('/api/endpoint/alerts') + )!; + + await routeHandler( + ({ + core: { + elasticsearch: { + dataClient: mockScopedClient, + }, + }, + } as unknown) as RequestHandlerContext, + mockRequest, + mockResponse + ); + + expect(mockScopedClient.callAsCurrentUser).toBeCalled(); + expect(routeConfig.options).toEqual({ authRequired: true }); + expect(mockResponse.ok).toBeCalled(); + const alertResultList = mockResponse.ok.mock.calls[0][0]?.body as AlertResultList; + expect(alertResultList.total).toEqual(21); + expect(alertResultList.request_page_index).toEqual(2); + expect(alertResultList.result_from_index).toEqual(6); + expect(alertResultList.request_page_size).toEqual(3); + }); + + it('should correctly validate params', async () => { + const validate = () => { + reqSchema.validate({ + page_size: 'abc', + page_index: 0, + }); + }; + expect(validate).toThrow(); + }); +}); diff --git a/x-pack/plugins/endpoint/server/routes/alerts.ts b/x-pack/plugins/endpoint/server/routes/alerts.ts index 68992b58909283..541cf4af527697 100644 --- a/x-pack/plugins/endpoint/server/routes/alerts.ts +++ b/x-pack/plugins/endpoint/server/routes/alerts.ts @@ -4,28 +4,100 @@ * you may not use this file except in compliance with the Elastic License. */ -import { IRouter } from 'kibana/server'; +import { IRouter, KibanaRequest, RequestHandler } from 'kibana/server'; +import { SearchResponse } from 'elasticsearch'; +import { schema } from '@kbn/config-schema'; -import json from './sampledata.json'; +import { + getPagingProperties, + buildAlertListESQuery, +} from '../services/endpoint/alert_query_builders'; + +import { AlertData, AlertResultList } from '../../common/types'; +import { AlertRequestParams, EndpointAppContext } from '../types'; + +const ALERTS_ROUTE = '/api/endpoint/alerts'; + +export const reqSchema = schema.object({ + page_size: schema.number({ defaultValue: 10, min: 1, max: 10000 }), + page_index: schema.number({ defaultValue: 0, min: 0 }), +}); + +export function registerAlertRoutes(router: IRouter, endpointAppContext: EndpointAppContext) { + const alertsHandler: RequestHandler = async (ctx, req, res) => { + try { + const queryParams = await getPagingProperties( + req as KibanaRequest, + endpointAppContext + ); + const reqBody = await buildAlertListESQuery(queryParams); + const response = (await ctx.core.elasticsearch.dataClient.callAsCurrentUser( + 'search', + reqBody + )) as SearchResponse; + return res.ok({ body: mapToAlertResultList(endpointAppContext, queryParams, response) }); + } catch (err) { + return res.internalError({ body: err }); + } + }; -export function registerAlertRoutes(router: IRouter) { router.get( { - path: '/api/endpoint/alerts', - validate: false, + path: ALERTS_ROUTE, + validate: { + query: reqSchema, + }, options: { authRequired: true }, }, - async (context, req, res) => { - try { - return res.ok({ - body: json, - headers: { - 'Content-Type': 'application/json', - }, - }); - } catch (err) { - return res.internalError({ body: err }); - } - } + alertsHandler ); + + router.post( + { + path: ALERTS_ROUTE, + validate: { + body: reqSchema, + }, + options: { authRequired: true }, + }, + alertsHandler + ); +} + +function mapToAlertResultList( + endpointAppContext: EndpointAppContext, + queryParams: Record, + searchResponse: SearchResponse +): AlertResultList { + interface Total { + value: number; + relation: string; + } + + let totalNumberOfAlerts: number = 0; + let totalIsLowerBound: boolean = false; + + // We handle 2 separate schemas for the response below, due to: https://github.com/elastic/kibana/issues/56694 + if (typeof searchResponse?.hits?.total === 'object') { + const total: Total = searchResponse?.hits?.total as Total; + totalNumberOfAlerts = total?.value || 0; + totalIsLowerBound = total?.relation === 'gte' || false; + } else { + totalNumberOfAlerts = searchResponse?.hits?.total || 0; + } + + if (totalIsLowerBound) { + // This shouldn't happen, as we always try to fetch enough hits to satisfy the current request and the next page. + endpointAppContext.logFactory + .get('endpoint') + .warn('Total hits not counted accurately. Pagination numbers may be inaccurate.'); + } + + return { + request_page_size: queryParams.pageSize, + request_page_index: queryParams.pageIndex, + result_from_index: queryParams.fromIndex, + alerts: searchResponse?.hits?.hits?.map(entry => entry._source), + total: totalNumberOfAlerts, + }; } diff --git a/x-pack/plugins/endpoint/server/routes/sampledata.json b/x-pack/plugins/endpoint/server/routes/sampledata.json deleted file mode 100644 index b0d6ae02f9f921..00000000000000 --- a/x-pack/plugins/endpoint/server/routes/sampledata.json +++ /dev/null @@ -1,11350 +0,0 @@ -[ - { - "type": "doc", - "value": { - "id": "huVEc20BW148Je-rzxwQ", - "index": "test_alert_data", - "source": { - "@timestamp": 1542789433000, - "agent": { - "id": "5085268f-7443-4f15-85d2-bf14b2a69c60", - "type": "endgame", - "version": "3.0.0" - }, - "ecs": { - "version": "1.1.0" - }, - "endgame": { - "data": { - "alert_details": { - "acting_process": { - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", - "create_time": 1542788400, - "domain": "NT AUTHORITY", - "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", - "hashes": { - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" - }, - "imphash": "c30d230b81c734e82e86e2e2fe01cd01", - "is_sensor": false, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "modules": [ - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424710, - "hashes": { - "imphash": "c30d230b81c734e82e86e2e2fe01cd01", - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 5362483200, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 05:28" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258681, - "hashes": { - "imphash": "d41d8cd98f00b204e9800998ecf8427e", - "md5": "3556d5a8bf2cc508bdab51dec38d7c61", - "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", - "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2006056960, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258315, - "hashes": { - "imphash": "9165b02c931d76a9b666d8d42128111b", - "md5": "7a6326d96d53048fdec542df23d875a0", - "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", - "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2004877312, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\kernel32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258316, - "hashes": { - "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", - "md5": "da68c291b4ef2dec9c5963266bcae454", - "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", - "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760109568, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\KERNELBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258929, - "hashes": { - "imphash": "2cb501375ed127591bf5cfee7f1e52fe", - "md5": "fe70103391a64039a921dbfff9c7ab1b", - "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", - "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2003828736, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USER32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258001, - "hashes": { - "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", - "md5": "1084aa52ccc324ea54c7121fa24c2221", - "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", - "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791780163584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\GDI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534943, - "hashes": { - "imphash": "919110853c18aa198ad129945337b1dd", - "md5": "d202223587518b13d72d68937b7e3f70", - "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", - "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791780622336, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\LPK.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258933, - "hashes": { - "imphash": "17bf46cf6bf6c8cae48be5b75615a353", - "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", - "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", - "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791788552192, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USP10.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535038, - "hashes": { - "imphash": "8c99b1c0f6cf68b07336751f460f1dba", - "md5": "7319bb10fa1f86e49e3dcf4136f6c957", - "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", - "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791775444992, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\msvcrt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534699, - "hashes": { - "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", - "md5": "6df46d2bd74e3da1b45f08f10d172732", - "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", - "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791781736448, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ADVAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535198, - "hashes": { - "imphash": "b8ba136689cdc8d8b25fc04902f39a22", - "md5": "83404dcbce4925b6a5a77c5170f46d86", - "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", - "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791777214464, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\sechost.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258798, - "hashes": { - "imphash": "46876e4adb924a616ddbbb1992d61257", - "md5": "0611473c1ad9e2d991cd9482068417f7", - "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", - "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791787307008, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\RPCRT4.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424472, - "hashes": { - "imphash": "a24cfb84e3006f3634d5b09aed45c264", - "md5": "56e6aa240cf6503265fbe5cf4d5889e8", - "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", - "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791710957568, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424450, - "hashes": { - "imphash": "f12460104bb4725d7964cf569f727f61", - "md5": "58017789505c114426b63c775debc12b", - "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", - "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791706894336, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1438071093, - "hashes": { - "imphash": "341d1190606326748a708433d5d0cc36", - "md5": "0a2be3ed5a71082e5f9296f79323a639", - "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", - "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791705714688, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\libprotobuf.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Code Signing PCA", - "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", - "subject_name": "Microsoft Corporation" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "10/04/2013 22:49" - }, - "more_info_link": "http://microsoft.com", - "program_name": "msvcp120.dll", - "publisher_link": "" - }, - "compile_time": 1380942867, - "hashes": { - "imphash": "d0a59246eab41d54812cd63c2326e1f1", - "md5": "46060c35f697281bc5e7337aee3722b1", - "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", - "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791704993792, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSVCP120.dll", - "signature_signer": "Microsoft Corporation", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Code Signing PCA", - "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", - "subject_name": "Microsoft Corporation" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "10/04/2013 22:49" - }, - "more_info_link": "http://microsoft.com", - "program_name": "msvcr120.dll", - "publisher_link": "" - }, - "compile_time": 1380942847, - "hashes": { - "imphash": "8f18e22935ef8b336e246ee763fbec97", - "md5": "9c861c079dd81762b6c54e37597b7712", - "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", - "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791704010752, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSVCR120.dll", - "signature_signer": "Microsoft Corporation", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258732, - "hashes": { - "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", - "md5": "6c60b5aca7442efb794082cdacfc001c", - "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", - "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791791894528, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ole32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258736, - "hashes": { - "imphash": "774fed8966de60d3af2dd9070df5be6f", - "md5": "42f05f980f164e084db65b2e8cd8430f", - "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", - "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791783899136, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\OLEAUT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258981, - "hashes": { - "imphash": "1ec347d133df2fe4da3e5f8944caeae8", - "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", - "sha1": "d48aafa576b40a5e386e609bba1010472551154a", - "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791779835904, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WS2_32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535145, - "hashes": { - "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", - "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", - "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", - "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791791828992, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NSI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258859, - "hashes": { - "imphash": "4b37cbf60127ea0550ec30e0b1c52984", - "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", - "sha1": "3b099b193abb9064e6937101d0c309f04d713882", - "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791784816640, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SHLWAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257495, - "hashes": { - "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", - "md5": "497bfeddaf3950dd909c3b0c5558a25d", - "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", - "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791730683904, - "mapped_size": 0, - "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258138, - "hashes": { - "imphash": "0bc508389b6b5577cf3cca214ca523a7", - "md5": "2b81776da02017a37fe26c662827470e", - "sha1": "8c85389640bea73a009d83079f8b4c963697035f", - "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791725375488, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535281, - "hashes": { - "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", - "md5": "4c9210e8f4e052f6a4eb87716da0c24c", - "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", - "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791725113344, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINNSI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247527581, - "hashes": { - "imphash": "be693a67b5b884d7609eaf574ba00955", - "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", - "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", - "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2007957504, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\PSAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1472978395, - "hashes": { - "imphash": "3a8c832bddbba9333df28c1da212318e", - "md5": "e1c637922e34d868ebcd6ef199cf1394", - "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", - "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791703158784, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534912, - "hashes": { - "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", - "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", - "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", - "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791790977024, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IMM32.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535018, - "hashes": { - "imphash": "b523fff180cb22465ccf191b827e9923", - "md5": "c431eaf5caa1c82cac2534a2eab348a3", - "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", - "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791776100352, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSCTF.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534874, - "hashes": { - "imphash": "621a31b25a9ef1d128ea281b3eab572b", - "md5": "0040c486584a8e582c861cfb57ab5387", - "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", - "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791724654592, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\fwpuclnt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258848, - "hashes": { - "imphash": "cc4d63ca30fdbb90048e549782d2116a", - "md5": "858df0795cb5b4bace0f33708925a414", - "sha1": "e629ed78e6e1829263890974760dad8a431edf69", - "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791753031680, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\Secur32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258854, - "hashes": { - "imphash": "9c631776d86c9b15258c3cc2a6a7891d", - "md5": "26e716ed95dc48cf6e5ac046089366af", - "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", - "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791761092608, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\shell32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "11/29/2016 03:22" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1480418473, - "hashes": { - "imphash": "f89e0a919d52e2b37d82d27f521530cf", - "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", - "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", - "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791699816448, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258594, - "hashes": { - "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", - "md5": "764908fe1fa96f93c95b1b67a0fced29", - "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", - "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791720656896, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NETAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258588, - "hashes": { - "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", - "md5": "6ceca4c6a489c9b2e6073afdaae3f607", - "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", - "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791720198144, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\netutils.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258920, - "hashes": { - "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", - "md5": "3a9c9baf610b0dd4967086040b3b62a9", - "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", - "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791751524352, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\srvcli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259010, - "hashes": { - "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", - "md5": "3c91392d448f6e5d525a85b7550d8ba9", - "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", - "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791720067072, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wkscli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535234, - "hashes": { - "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", - "md5": "94e026870a55aaeaff7853c1754091e9", - "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", - "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791741169664, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\VERSION.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/18/2017 09:26" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484760175, - "hashes": { - "imphash": "b33f679b12d9d05d922e720c0e21818c", - "md5": "1e5ea729f6dc5a8aff675a45706d389d", - "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", - "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791699161088, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "11/22/2016 08:08" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1479830743, - "hashes": { - "imphash": "513a166377e008d25aa2e22983dd13ff", - "md5": "3450d998edec5cdbd03b0df09c17e02d", - "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", - "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791698702336, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/16/2017 05:34" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484573247, - "hashes": { - "imphash": "d6d5dc292fe4d710905e9f280360309d", - "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", - "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", - "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791696343040, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/16/2017 05:34" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484573248, - "hashes": { - "imphash": "4e1a791e94ac955105ddfaac387de22f", - "md5": "874d6017f89a2ef255a16280ed4b1bf7", - "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", - "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791693721600, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257756, - "hashes": { - "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", - "md5": "2477a28081bdaee622cf045acf8ee124", - "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", - "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791757291520, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CFGMGR32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "DigiCert Assured ID Code Signing CA-1", - "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "09/12/2018 01:20" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1512623776, - "hashes": { - "imphash": "e2dab13fa4a67b25d3fbae65a189c521", - "md5": "627d7f1de23e6b01d6251b4c6962e765", - "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", - "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791688937472, - "mapped_size": 0, - "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "09/13/2017 23:13" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1505278115, - "hashes": { - "imphash": "c2979e6e570392ed85b4e15810f2e90f", - "md5": "3b4c71b64bc20b0c6578a091a031c0fb", - "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", - "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791679827968, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257999, - "hashes": { - "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", - "md5": "3f9f2afa135f0663946a006dd5ffd897", - "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", - "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791758209024, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258373, - "hashes": { - "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", - "md5": "884415bd4269c02eaf8e2613bf85500d", - "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", - "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791757225984, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSASN1.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535280, - "hashes": { - "imphash": "af1203c1d6d810c97729856780869b12", - "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", - "sha1": "c53e005cd04d99331ce3114ac119256133202313", - "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791679172608, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINMM.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258927, - "hashes": { - "imphash": "b32250da0d30f7782b5b900d4d9c519a", - "md5": "2a86e54b441ad41557f75dc5609b9793", - "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", - "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791754866688, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SSPICLI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258493, - "hashes": { - "imphash": "466f15f36f10655b30e9347e7dfc2b52", - "md5": "1d5185a4c7e6695431ae4b55c3d7d333", - "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", - "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791748378624, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\mswsock.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535287, - "hashes": { - "imphash": "f967c6b35a5d1b7765016056a842e331", - "md5": "31559f3244c6bc00a52030caa83b6b91", - "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", - "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791742021632, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wshtcpip.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534998, - "hashes": { - "imphash": "77870f98ca4d25a823c74d7404a64bfd", - "md5": "d0c2fbb6d97416b0166478fc7ae2b212", - "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", - "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791748771840, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTSP.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 17:43" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247535161, - "hashes": { - "imphash": "b8c20a01e4d94df61ee21f5350389f9c", - "md5": "5d8874a8c11dddde29e12de0e2013493", - "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", - "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791745626112, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\rsaenh.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534993, - "hashes": { - "imphash": "f0c6fd6831905d958b05645b680db89f", - "md5": "784fa3df338e2e8f5f0389d6fac428af", - "sha1": "6d32c67c91c6d374854e907c6719db2538540867", - "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791755456512, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257906, - "hashes": { - "imphash": "ff74e3ff0a015c2023b747f613061e42", - "md5": "a52b6cc24063cc83c78c0e6f24deec01", - "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", - "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791746805760, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DNSAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534791, - "hashes": { - "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", - "md5": "4cbcc37856ea2039c27a2fb661dda0e5", - "sha1": "cc666108d34168420a1d1942dda1e090154c7296", - "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722557440, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534790, - "hashes": { - "imphash": "f17020f0f66b64fbdf51c75b43f3729d", - "md5": "f568f7c08458d69e4fcd8675bbb107e4", - "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", - "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722426368, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534847, - "hashes": { - "imphash": "dda6776607f283829d85b996f5e46d03", - "md5": "f3d202f53a222d5f6944d459b73cf967", - "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", - "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791675961344, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\FLTLIB.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535135, - "hashes": { - "imphash": "ff720e05e534d67b814b8562265058f5", - "md5": "2c942733a5983dd4502219ff37c7ebc7", - "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", - "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791756308480, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\profapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259008, - "hashes": { - "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", - "md5": "eb3f9c2de1236b5d46b2291d82970e43", - "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", - "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791759847424, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINTRUST.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534778, - "hashes": { - "imphash": "37afbae3e0f359c3718e379261f7ccfc", - "md5": "25983de69b57142039ac8d95e71cd9c9", - "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", - "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791791173632, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CLBCatQ.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258799, - "hashes": { - "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", - "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", - "sha1": "4417207821fc8f5c72ff531683f183caef297882", - "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791756177408, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\RpcRtRemote.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258979, - "hashes": { - "imphash": "207b35260128e01bb777acc1377dc241", - "md5": "58f4493bf748a3a89689997b7bd00e95", - "sha1": "9974ba41e8215f6669deb765988cfe34e9c1b56e", - "sha256": "ec5deec73e357c7c87b001275c4e635011a9cf39419f2b86e2c2b8d7e388c551" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791697915904, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\winhttp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258934, - "hashes": { - "imphash": "01ecfbe4437ca8d85dd9400611c1b90e", - "md5": "bc9489df517c426d4044d99f14449134", - "sha1": "814f9c8c59ee59f2ff3fc1b5e21d5e270babb506", - "sha256": "cabd014ba29a548252bb8d5bd46d047dbfc445489492d9df75b29cede0ac9f8b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791697457152, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\webio.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257996, - "hashes": { - "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", - "md5": "52d3d5e3586988d4d9e34acaac33105c", - "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", - "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791744577536, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\credssp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535281, - "hashes": { - "imphash": "9e65c315ab3a48dda5ab558165a5002b", - "md5": "ec7cbff96b05ecf3d366355b3c64adcf", - "sha1": "fa74a61ea56a7bc3149860b5344c51fa9b6555bb", - "sha256": "f69ed45ebedca9cf000ac03281f0ec2c351f98513fba90e63394e4e561d6c7a2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791748313088, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wship6.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535149, - "hashes": { - "imphash": "c2a02641f5327bf07de486ae7ec62117", - "md5": "88351b29b622b30962d2feb6ca8d860b", - "sha1": "3338d73b6c86fce85b07236ac230e5e2f4601818", - "sha256": "a16cad7d94c1c9807083bb36e9b4c3c14e6482c4ca2bdfacbcc86e737ddce42e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791678255104, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\rasadhlp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258810, - "hashes": { - "imphash": "34991d52051c8576ed061e7a2c5a4ae0", - "md5": "a199de544bf5c61c134b22c7592226fc", - "sha1": "03d97c806e4a28bb37d8c8384deddd6ac28acc9d", - "sha256": "af0cc2da847036f5fe6dd9fbeda7c3d05af291873d4eae121676dc6e8841a78f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791746215936, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\schannel.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535060, - "hashes": { - "imphash": "6a351d0e14283da2cd897563f0062c5b", - "md5": "2e8c52a0ec788d90fa35d9507d828771", - "sha1": "0725085c62d3a5a9a0d50256c2a56161aaca0a07", - "sha256": "dd5aaa10e075f209d9827c7a192ad5645d1156c149db9b5ac1ef7b5e0b5f11de" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791750344704, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ncrypt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534713, - "hashes": { - "imphash": "9f3aab7eb2ffeeba57cb67496b05f365", - "md5": "b9a95365e52f421a20e1501935fadda5", - "sha1": "958a7ba90043f8e3b94da849a2da8bb139fc39c9", - "sha256": "ddb4cb575139233efaf2c59b7e9b04af36bbccc63190181f3b2a7e6bfc86e77e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791750148096, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\bcrypt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 34 64 00 00 00 00 00 0c ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 05:28" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257648, - "hashes": { - "imphash": "738644d200eea1ceb5661b1ac09aa146", - "md5": "d6c7780a364c6bbacfa796bab9f1b374", - "sha1": "15236c349be131790d21a63550d725cc62b1bf13", - "sha256": "3b5ed1a030bfd0bb73d4ffcd67a6a0b8501ef70293f223efaa12f430adf270f9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791744839680, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\bcryptprimitives.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258932, - "hashes": { - "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", - "md5": "7a17485dc7d8a7ac81321a42cd034519", - "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", - "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791743201280, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USERENV.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534853, - "hashes": { - "imphash": "1bcae470249f30c5f912c1293a2d3470", - "md5": "9c9307c95671ac962f3d6eb3a4a89bae", - "sha1": "6190ce7b101c5946b1d773245d286a1e592f5181", - "sha256": "d1433791c9b8bceead8937ec18d33e89e4e2012b5975228a8500fd141bc30078" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791743070208, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\GPAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - } - ], - "name": "AmSvc.exe", - "parent_exe": "C:\\Windows\\System32\\services.exe", - "parent_name": "services.exe", - "pid": 1076, - "ppid": 432, - "primary_token": { - "domain": "NT AUTHORITY", - "integrity_level": 16384, - "integrity_level_name": "system", - "privileges": [ - { - "description": "Replace a process level token", - "enabled": false, - "name": "SeAssignPrimaryTokenPrivilege" - }, - { - "description": "Lock pages in memory", - "enabled": true, - "name": "SeLockMemoryPrivilege" - }, - { - "description": "Adjust memory quotas for a process", - "enabled": false, - "name": "SeIncreaseQuotaPrivilege" - }, - { - "description": "Act as part of the operating system", - "enabled": true, - "name": "SeTcbPrivilege" - }, - { - "description": "Manage auditing and security log", - "enabled": false, - "name": "SeSecurityPrivilege" - }, - { - "description": "Take ownership of files or other objects", - "enabled": false, - "name": "SeTakeOwnershipPrivilege" - }, - { - "description": "Load and unload device drivers", - "enabled": true, - "name": "SeLoadDriverPrivilege" - }, - { - "description": "Profile system performance", - "enabled": true, - "name": "SeSystemProfilePrivilege" - }, - { - "description": "Change the system time", - "enabled": false, - "name": "SeSystemtimePrivilege" - }, - { - "description": "Profile single process", - "enabled": true, - "name": "SeProfileSingleProcessPrivilege" - }, - { - "description": "Increase scheduling priority", - "enabled": true, - "name": "SeIncreaseBasePriorityPrivilege" - }, - { - "description": "Create a pagefile", - "enabled": true, - "name": "SeCreatePagefilePrivilege" - }, - { - "description": "Create permanent shared objects", - "enabled": true, - "name": "SeCreatePermanentPrivilege" - }, - { - "description": "Back up files and directories", - "enabled": true, - "name": "SeBackupPrivilege" - }, - { - "description": "Restore files and directories", - "enabled": true, - "name": "SeRestorePrivilege" - }, - { - "description": "Shut down the system", - "enabled": false, - "name": "SeShutdownPrivilege" - }, - { - "description": "Debug programs", - "enabled": true, - "name": "SeDebugPrivilege" - }, - { - "description": "Generate security audits", - "enabled": true, - "name": "SeAuditPrivilege" - }, - { - "description": "Modify firmware environment values", - "enabled": false, - "name": "SeSystemEnvironmentPrivilege" - }, - { - "description": "Bypass traverse checking", - "enabled": true, - "name": "SeChangeNotifyPrivilege" - }, - { - "description": "Remove computer from docking station", - "enabled": false, - "name": "SeUndockPrivilege" - }, - { - "description": "Perform volume maintenance tasks", - "enabled": false, - "name": "SeManageVolumePrivilege" - }, - { - "description": "Impersonate a client after authentication", - "enabled": true, - "name": "SeImpersonatePrivilege" - }, - { - "description": "Create global objects", - "enabled": true, - "name": "SeCreateGlobalPrivilege" - }, - { - "description": "Increase a process working set", - "enabled": true, - "name": "SeIncreaseWorkingSetPrivilege" - }, - { - "description": "Change the time zone", - "enabled": true, - "name": "SeTimeZonePrivilege" - }, - { - "description": "Create symbolic links", - "enabled": true, - "name": "SeCreateSymbolicLinkPrivilege" - } - ], - "sid": "S-1-5-18", - "type": "tokenPrimary", - "user": "SYSTEM" - }, - "services": [ - { - "name": "CybereasonAntiMalware" - } - ], - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", - "sid": "S-1-5-18", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted", - "threads": [ - { - "create_time": 1542788400, - "entrypoint": 5362733988, - "thread_id": 1080, - "up_time": 1084 - }, - { - "create_time": 1542788400, - "entrypoint": 2006167232, - "thread_id": 1108, - "up_time": 1083 - }, - { - "create_time": 1542788400, - "entrypoint": 8791693804752, - "thread_id": 1232, - "up_time": 1080 - }, - { - "create_time": 1542788400, - "entrypoint": 8791693762672, - "thread_id": 1244, - "up_time": 1080 - }, - { - "create_time": 1542788400, - "entrypoint": 8791679862464, - "thread_id": 1392, - "up_time": 1070 - }, - { - "create_time": 1542788400, - "entrypoint": 8791679862464, - "thread_id": 1396, - "up_time": 1070 - }, - { - "create_time": 1542788400, - "entrypoint": 8791679865776, - "thread_id": 1400, - "up_time": 1070 - }, - { - "create_time": 1542788400, - "entrypoint": 8791679929872, - "thread_id": 1404, - "up_time": 1070 - }, - { - "create_time": 1542788400, - "entrypoint": 2006186944, - "thread_id": 1480, - "up_time": 1067 - }, - { - "create_time": 1542788400, - "entrypoint": 8791704162340, - "thread_id": 1632, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698721056, - "thread_id": 1640, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698721056, - "thread_id": 1644, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698721056, - "thread_id": 1648, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698721056, - "thread_id": 1652, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698721392, - "thread_id": 1656, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698720112, - "thread_id": 1660, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698720736, - "thread_id": 1664, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 8791698722160, - "thread_id": 1668, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 5362651040, - "thread_id": 1672, - "up_time": 1033 - }, - { - "create_time": 1542788400, - "entrypoint": 5362651040, - "thread_id": 1680, - "up_time": 1033 - }, - { - "create_time": 1542788900, - "entrypoint": 8791680004352, - "thread_id": 1808, - "up_time": 587 - }, - { - "create_time": 1542789000, - "entrypoint": 2006186944, - "thread_id": 2284, - "up_time": 432 - }, - { - "create_time": 1542789100, - "entrypoint": 2006186944, - "thread_id": 1780, - "up_time": 364 - }, - { - "create_time": 1542789100, - "entrypoint": 2006186944, - "thread_id": 12, - "up_time": 343 - }, - { - "create_time": 1542789200, - "entrypoint": 8791748438592, - "thread_id": 2476, - "up_time": 168 - } - ], - "unique_pid": 22, - "unique_ppid": 8, - "up_time": 1084, - "user": "SYSTEM" - }, - "acting_thread": { - "create_time": 1542788400, - "service_name": "CybereasonAntiMalware", - "thread_id": 1648, - "thread_start_address": 8791698721056, - "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" - } - }, - "captured_file": false, - "file_name": "C:\\Windows\\TEMP\\tmp0000008f\\tmp00001c75", - "file_operation": "creation", - "file_owner": "Administrators", - "file_size": 188416, - "hashes": { - "imphash": "835d619dfdf3cc727cebd91300ab3462", - "md5": "4ace3baaa509d08510405e1b169e325b", - "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", - "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" - }, - "is_signature_trusted": false, - "malware_classification": { - "compressed_malware_features": { - "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", - "decompressed_size": 27831, - "encoding": "zlib" - }, - "identifier": "endpointpe", - "prevention_threshold": 0.66, - "score": 1, - "threshold": 0.66, - "version": "3.0.33" - }, - "pid": 1076, - "ppid": 432, - "signature_signer": "", - "temp_file_path": "C:\\Windows\\TEMP\\27fef9a8-bd80-4784-934c-76b383147d3f", - "timestamp": { - "accessed": 1542789400, - "created": 1542789400, - "modified": 1542789400 - }, - "user_blacklisted": false - }, - "event_subtype_full": "file_classification_event", - "event_type_full": "alert_event", - "metadata": { - "beta_alert": false, - "chunk_id": 0, - "collection_time": 1542789400, - "correlation_id": "3aab8e43-2cdb-4d32-b46b-b8382ff11939", - "destination_plugin": "send", - "final": true, - "is_alert": true, - "key": "fileClassificationEventResponse", - "message_id": "31b54c77-fdbb-4550-9259-0dce12b98ec2", - "origination_task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", - "os_type": "windows", - "priority": 80, - "result": { - "local_code": 0, - "local_msg": "Success" - }, - "semantic_version": "3.50.0", - "sensor_version": "3.50.0", - "task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", - "type": "detection" - }, - "opcode": 8, - "serial_event_id": 167011, - "timestamp": 132140242101035230, - "timestamp_utc": "2019-09-27 02:16:50Z" - }, - "event": { - "action": "file_classification_event", - "dataset": "esensor", - "kind": "alert", - "module": "endgame" - }, - "host": { - "hostname": "HD-ssm-0b0d26ad", - "ip": "10.81.164.74", - "name": "HD-ssm-0b0d26ad", - "os": { - "name": "Windows", - "platform": "windows", - "version": "6.1" - } - }, - "labels": { - "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", - "endpoint_id": "5085268f-7443-4f15-85d2-bf14b2a69c60" - }, - "user": { - "group": { - } - } - }, - "type": "_doc" - } - }, - { - "type": "doc", - "value": { - "id": "kuNEc20BW148Je-rmp1N", - "index": "test_alert_data", - "source": { - "@timestamp": 1542341895000, - "agent": { - "id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f", - "type": "endgame", - "version": "3.0.0" - }, - "ecs": { - "version": "1.1.0" - }, - "endgame": { - "data": { - "alert_details": { - "acting_process": { - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "cmdline": "C:\\Windows\\Explorer.EXE", - "create_time": 1542341500, - "domain": "WIN-Q3DOP1UKA81", - "exe": "C:\\Windows\\explorer.exe", - "hashes": { - "md5": "ac4c51eb24aa95b77f705ab159189e24", - "sha1": "4583daf9442880204730fb2c8a060430640494b1", - "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" - }, - "imphash": "6422e341c67ba0880e012f8c7c634c21", - "is_sensor": false, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "md5": "ac4c51eb24aa95b77f705ab159189e24", - "modules": [ - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290248516, - "hashes": { - "imphash": "6422e341c67ba0880e012f8c7c634c21", - "md5": "ac4c51eb24aa95b77f705ab159189e24", - "sha1": "4583daf9442880204730fb2c8a060430640494b1", - "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 4278845440, - "mapped_size": 0, - "path": "C:\\Windows\\Explorer.EXE", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 05:28" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258681, - "hashes": { - "imphash": "d41d8cd98f00b204e9800998ecf8427e", - "md5": "3556d5a8bf2cc508bdab51dec38d7c61", - "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", - "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2007891968, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258315, - "hashes": { - "imphash": "9165b02c931d76a9b666d8d42128111b", - "md5": "7a6326d96d53048fdec542df23d875a0", - "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", - "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2006712320, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\kernel32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258316, - "hashes": { - "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", - "md5": "da68c291b4ef2dec9c5963266bcae454", - "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", - "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760175104, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\KERNELBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534699, - "hashes": { - "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", - "md5": "6df46d2bd74e3da1b45f08f10d172732", - "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", - "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791763779584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ADVAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535038, - "hashes": { - "imphash": "8c99b1c0f6cf68b07336751f460f1dba", - "md5": "7319bb10fa1f86e49e3dcf4136f6c957", - "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", - "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791790780416, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\msvcrt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535198, - "hashes": { - "imphash": "b8ba136689cdc8d8b25fc04902f39a22", - "md5": "83404dcbce4925b6a5a77c5170f46d86", - "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", - "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791793074176, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\sechost.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258798, - "hashes": { - "imphash": "46876e4adb924a616ddbbb1992d61257", - "md5": "0611473c1ad9e2d991cd9482068417f7", - "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", - "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791762403328, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\RPCRT4.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258001, - "hashes": { - "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", - "md5": "1084aa52ccc324ea54c7121fa24c2221", - "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", - "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791792615424, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\GDI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258929, - "hashes": { - "imphash": "2cb501375ed127591bf5cfee7f1e52fe", - "md5": "fe70103391a64039a921dbfff9c7ab1b", - "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", - "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2005663744, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USER32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534943, - "hashes": { - "imphash": "919110853c18aa198ad129945337b1dd", - "md5": "d202223587518b13d72d68937b7e3f70", - "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", - "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791763714048, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\LPK.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258933, - "hashes": { - "imphash": "17bf46cf6bf6c8cae48be5b75615a353", - "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", - "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", - "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791782522880, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USP10.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258859, - "hashes": { - "imphash": "4b37cbf60127ea0550ec30e0b1c52984", - "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", - "sha1": "3b099b193abb9064e6937101d0c309f04d713882", - "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791792091136, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SHLWAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258854, - "hashes": { - "imphash": "9c631776d86c9b15258c3cc2a6a7891d", - "md5": "26e716ed95dc48cf6e5ac046089366af", - "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", - "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791765811200, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SHELL32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258732, - "hashes": { - "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", - "md5": "6c60b5aca7442efb794082cdacfc001c", - "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", - "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791783374848, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ole32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258736, - "hashes": { - "imphash": "774fed8966de60d3af2dd9070df5be6f", - "md5": "42f05f980f164e084db65b2e8cd8430f", - "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", - "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791785537536, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\OLEAUT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258088, - "hashes": { - "imphash": "ec96d3f694248151f968633563d10a36", - "md5": "eed05d42d91835064703e2318552ed25", - "sha1": "aa7e817ccad26070bce1161894f97e10aaa56fb9", - "sha256": "e9ee1e2253445b207b76f5d3073c612ed979a982522c1515e0fe8fa9641ae568" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791634935808, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\EXPLORERFRAME.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534886, - "hashes": { - "imphash": "c0e1a4a34891e5dd2a6cbaa0895a8d38", - "md5": "8ccde014a4cdf84564e03ace064ca753", - "sha1": "957e29e029fe60b8ff43ff732463c39230b78226", - "sha256": "dd663029b2eb7b12fdb00fce403d8326141e540e3b9ce84cd5871473d3e2e2cf" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791735599104, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DUser.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534885, - "hashes": { - "imphash": "9353143c2b77b94cc82ab55c5fecf99c", - "md5": "3cb6a7286422c72c34dab54a5dff1a34", - "sha1": "5b93896a6abb36c2b8957973e3ce1860c1059367", - "sha256": "98d21efff511e407336a226420701e82554da01fa05661303836b6860d63749d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791721181184, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DUI70.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534912, - "hashes": { - "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", - "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", - "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", - "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791793205248, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IMM32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535018, - "hashes": { - "imphash": "b523fff180cb22465ccf191b827e9923", - "md5": "c431eaf5caa1c82cac2534a2eab348a3", - "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", - "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791764697088, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSCTF.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535251, - "hashes": { - "imphash": "56e651a119cdb899aadd2df3832bbcd1", - "md5": "d29e998e8277666982b4f0303bf4e7af", - "sha1": "e803b0af61ea2ddcd58b5a63b1cfbb73266318ea", - "sha256": "4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791742480384, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\UxTheme.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535202, - "hashes": { - "imphash": "1c419f7cfacebfcd8e903e6be290407e", - "md5": "716175021bda290504ce434273f666bc", - "sha1": "4f00fbf4e9a88fae9e6682989032831b3d2eba86", - "sha256": "fa18ca2d8a5f4335e051e2933147d3c1e7308f7d446e2aeb6596cdef6e2afc88" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791718690816, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\POWRPROF.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258850, - "hashes": { - "imphash": "a7a25e8b145e75fdeb21026d3895033a", - "md5": "5d8e6c95156ed1f79a63d1eade6f9ed5", - "sha1": "cadd211d74385550c5e055d3312303f4d64fdebc", - "sha256": "12130837d7f89a2c7e9d25747a8e5b9001e0a38d545178b49b450c23ae62664a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791788814336, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SETUPAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257756, - "hashes": { - "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", - "md5": "2477a28081bdaee622cf045acf8ee124", - "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", - "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760633856, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CFGMGR32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534817, - "hashes": { - "imphash": "2dbdaadf7e151289a49662379e253dfd", - "md5": "06fec9e8117103bb1141a560e98077da", - "sha1": "a8922793a930d602409b62be5ff01d5baec60000", - "sha256": "c5e61b11ddbbbbba3d9488970524f0975ea5fbdf16e2fa31f579f8bfa48353b1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760044032, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DEVOBJ.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534887, - "hashes": { - "imphash": "e7f2585307f1db90e7e5e48c40dc7134", - "md5": "da1b7075260f3872585bfcdd668c648b", - "sha1": "f2bd334006d728422721b7c639145a6ec59a459b", - "sha256": "3e10ef6e1a5c341b478322cb78a0ab7bfc70ad8023779b8b4542a7cb4ca756ab" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791742873600, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dwmapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535203, - "hashes": { - "imphash": "6a5a31c99a1562b9e5e10f4b4445be95", - "md5": "be097f5bb10f9079fceb2dc4e7e20f02", - "sha1": "dd572bac50bc4718126389c628d56a83d5c4d88a", - "sha256": "90a88986c8c5f30fb153ec803feda6572b2c2630a6c9578fcc017800692694d5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791732256768, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\slc.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257495, - "hashes": { - "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", - "md5": "497bfeddaf3950dd909c3b0c5558a25d", - "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", - "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791732453376, - "mapped_size": 0, - "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258848, - "hashes": { - "imphash": "cc4d63ca30fdbb90048e549782d2116a", - "md5": "858df0795cb5b4bace0f33708925a414", - "sha1": "e629ed78e6e1829263890974760dad8a431edf69", - "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791754801152, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\Secur32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258927, - "hashes": { - "imphash": "b32250da0d30f7782b5b900d4d9c519a", - "md5": "2a86e54b441ad41557f75dc5609b9793", - "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", - "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791756701696, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SSPICLI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258762, - "hashes": { - "imphash": "26c2856b9813d8990c01c5a711b5063a", - "md5": "f06bb4e336ea57511fdbafafcc47de62", - "sha1": "bfee1b9d2269d26d99c8e462825ee8399c8bd4ec", - "sha256": "be43ec62548e9ff89a9495a1722e22dbb76eec3764f86e64057b636f27d15765" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791728259072, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\PROPSYS.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534993, - "hashes": { - "imphash": "f0c6fd6831905d958b05645b680db89f", - "md5": "784fa3df338e2e8f5f0389d6fac428af", - "sha1": "6d32c67c91c6d374854e907c6719db2538540867", - "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791757291520, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257499, - "hashes": { - "imphash": "cd11f800bc54ae45ead9d98c96048145", - "md5": "7fa8fdc2c2a27817fd0f624e78d3b50c", - "sha1": "b4aa8e16396b1882eb75c28dfbec9949608afdde", - "sha256": "7b63f6aa2cd6d4d07ea3c595b868b1a0749bb11620027a2bd9b935e3055481e4" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791736123392, - "mapped_size": 0, - "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258974, - "hashes": { - "imphash": "b03f7d8315f3384d06c11e961e6fee07", - "md5": "26b73a85855681500bcc25c7cd9ff5b1", - "sha1": "393ed9ebbe380c77935df6d0eda2047cdd2224fe", - "sha256": "94d134a6af53ad629a4505b8b0ea37f61bb43af4db71874e7e87853163a9282a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791724851200, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WindowsCodecs.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535135, - "hashes": { - "imphash": "ff720e05e534d67b814b8562265058f5", - "md5": "2c942733a5983dd4502219ff37c7ebc7", - "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", - "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791758143488, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\profapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257558, - "hashes": { - "imphash": "6af6d846a78a6532fcb989d0d8aeb17d", - "md5": "90499f3163a9f815cf196a205ea3cd5d", - "sha1": "f97ff54dc4b132756fcf7041e55d645163f19851", - "sha256": "29b4ed3795cec1177eb367132914ce21c194cdec5db9dc923fd928c85e94d821" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791756898304, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\apphelp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534778, - "hashes": { - "imphash": "37afbae3e0f359c3718e379261f7ccfc", - "md5": "25983de69b57142039ac8d95e71cd9c9", - "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", - "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791787700224, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CLBCatQ.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534842, - "hashes": { - "imphash": "cbda3eb1c9c46a2121362e9775f60b47", - "md5": "024352feec9042260bb4cfb4d79a206b", - "sha1": "79c23ce566219f87ade8e55a292aaaabe4a639ec", - "sha256": "60cb39086e10c5b66ebc15e4df219620b344b4358d2918ab6bb3448a0ac8be36" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791731994624, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\EhStorShell.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258701, - "hashes": { - "imphash": "37dad3873d5388f07576532bc042f677", - "md5": "7bbf670114373ce6a203fa155a9e0d0a", - "sha1": "104d89dde030b661d05c4c63a03fae1f46ab52d2", - "sha256": "36ef0a36c679e53b1b169289bd3c05d7c2839dc20c8c87bf520b633911fde198" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791647518720, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ntshrui.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258920, - "hashes": { - "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", - "md5": "3a9c9baf610b0dd4967086040b3b62a9", - "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", - "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791753228288, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\srvcli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258010, - "hashes": { - "imphash": "2ba777561101c3b07566cc50db3a564c", - "md5": "1bf0cb861a48feb1638228760750f3cb", - "sha1": "fbc77224c1b444a6ec25e99f995f2f355e4d1d26", - "sha256": "37c781a8c546ead8b4d28bd7d730b9ac78eb799599ad69dad9054b6f9f1dd6bd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791649091584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\cscapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:35" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247534897, - "hashes": { - "imphash": "5bf52e420b6d5991bdcce16ada0828dc", - "md5": "1d63f4366288b8a7595397e27010fd44", - "sha1": "e459e1227083e4eabd19ee20e13754560fc7e02d", - "sha256": "99ea4ddd88d9c4a4cc9b238f533cb4d2c062d46239173997e8594d8a75811a01" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791735533568, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IconCodecService.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534998, - "hashes": { - "imphash": "77870f98ca4d25a823c74d7404a64bfd", - "md5": "d0c2fbb6d97416b0166478fc7ae2b212", - "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", - "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791750606848, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTSP.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 17:43" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247535161, - "hashes": { - "imphash": "b8c20a01e4d94df61ee21f5350389f9c", - "md5": "5d8874a8c11dddde29e12de0e2013493", - "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", - "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791747461120, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\rsaenh.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258799, - "hashes": { - "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", - "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", - "sha1": "4417207821fc8f5c72ff531683f183caef297882", - "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791758012416, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\RpcRtRemote.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258895, - "hashes": { - "imphash": "4fe9beaa9bd4aa01f5063a7352325c89", - "md5": "d7f1ef374a90709b31591823b002f918", - "sha1": "336ac44b8ee88a6af3f3eaf461b8bdf94fa657ff", - "sha256": "05fd2837c9b03d14bb2a969c1ad77caef047d93dc5d0f6c2acbf0888e8f7b359" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791730683904, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SndVolSSO.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534873, - "hashes": { - "imphash": "0a90384377303e2a2625725018566a89", - "md5": "896f15a6434d93edb42519d5e18e6b50", - "sha1": "b91a3512a80c4201c3fcfaf62abace894fbba328", - "sha256": "9263f0cec58d45ebe3fb9c3061fb9392c55a7933b84b4592e6ee13cfc86d5a50" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791731929088, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\HID.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534952, - "hashes": { - "imphash": "98a24f570dbcd3a092d95b3bd4e51a53", - "md5": "227e2c382a1e02f8d4965e664d3bbe43", - "sha1": "c4971ba9c1e4fdf0106c7cfab626a3d8737bbd07", - "sha256": "1cff20a8bf87ace4fa4935ebeed72bfb1a1fe902a754899e2f50798d67df5642" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791729504256, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\MMDevApi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258898, - "hashes": { - "imphash": "e99757a4c1beee1b5bf8b7b33b444dcc", - "md5": "1fcb1a72bf5c784f7358e6bef38e4571", - "sha1": "ef944a320de79bf05f0e30f54f3f8b2ba2e82c4a", - "sha256": "12da4240f8c964eda6223257bd9723fd9372e63ae86f00509163b1de12a5f6c5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791637426176, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\timedate.cpl", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534704, - "hashes": { - "imphash": "d6de6fde05f96ac848accdb1aef473e4", - "md5": "58775492ffd419248b08325e583c527f", - "sha1": "b0e9ca05d46cb53049c4ca33fe04bd08989a78f9", - "sha256": "dbb013971f5894f25c222c2d4d50a29db6df3c413792ee9ccc1a9e6d85469093" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791732322304, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ATL.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535266, - "hashes": { - "imphash": "fa1e670045065ff088a4ac664f9ac3d7", - "md5": "9f2bacd5e1776a4bb7cc0ec3c3a4f96d", - "sha1": "ad8c7ec85d532e5725b8535830f27c1abcf139b4", - "sha256": "19959d18601712901f03b83150d15e34ebcab355bb4692c9a28511a72f57fc66" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791730618368, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINBRAND.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257498, - "hashes": { - "imphash": "53f2c3eaeaa6e619e0ccd6e671e96145", - "md5": "e6f0f82788e8bd0f7a616350efa0761c", - "sha1": "9aa4aafda89325853ffa66169e697529164a23a2", - "sha256": "13091dcb3e3f4f52c3ff210e93aaf1dce142cfc09f671aeac5b922393b23e67b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791633952768, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\actxprxy.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535165, - "hashes": { - "imphash": "ae5e5f76641aadaf99f0ca29d2e1cadd", - "md5": "1f4492fe41767cdb8b89d17655847cdd", - "sha1": "c836a5e65d56900b6658fdaa3df8579bdd07ec69", - "sha256": "184547fac0c3d7148faa3f601929a7089de393bd19929a137dad743331dd3f77" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791719739392, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ntmarta.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259030, - "hashes": { - "imphash": "f792b6ec2e11bc79d8eb1bb1bcb79a91", - "md5": "4e4ffb09d895aa000dd56d1404f69a7e", - "sha1": "40f5c1890f6de5284f6c897255e6907b0272349a", - "sha256": "d999e04bb35780088480eab322176570591a21e311d204bdcab010a63b34d24c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791794974720, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WLDAP32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258853, - "hashes": { - "imphash": "2507624727988c72eb2a628a990000fd", - "md5": "c4f40f6cacd796a8e16671d0e9a2f319", - "sha1": "0881ae2a2fd3c5f03654410c474e5a25317942b2", - "sha256": "44853c645915d910ed0cc6d38f68b6c222528ec5fcbe990e238010f41204e682" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791729897472, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\shdocvw.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534923, - "hashes": { - "imphash": "e52a872655c57d1b906101b6d5449bbf", - "md5": "a0a65d306a5490d2eb8e7de66898ecfd", - "sha1": "880ac520eb1d38ebb591707a26e6dd300df40643", - "sha256": "ce5da408f4edd5e81ce0925867f03c9a35172cf1571fe4c4c052e45ab69822bb" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791729831936, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\LINKINFO.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258932, - "hashes": { - "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", - "md5": "7a17485dc7d8a7ac81321a42cd034519", - "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", - "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791745036288, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USERENV.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258852, - "hashes": { - "imphash": "8b5c65294bec1cf89e97325a24b8cfc5", - "md5": "4e9c2db10f7e6ae91bf761139d4b745b", - "sha1": "6e8e6a53269ca8acc8c2456c80cd3a56d8deb98d", - "sha256": "8f63f78294f5585d599a114af449dcc447ccb239d0f0b490bfe6b34a2146e730" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791704207360, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\shacct.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535152, - "hashes": { - "imphash": "44b39e98ae2946f304f4dbadcfffa307", - "md5": "5b3ebfc3da142324b388ddcc4465e1ff", - "sha1": "86e20ebf70fd35723eb635c4f3684891a2547a7b", - "sha256": "5d58642305311f9bc9b779c9598bfc4e7433b3ea58404bf1ff9466838a2328c7" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791716069376, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SAMLIB.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258793, - "hashes": { - "imphash": "7fec5787890bfedd3b3aa4082f53a08e", - "md5": "fc51229c7d4afa0d6f186133728b95ab", - "sha1": "f7a2f224356e68b612ecce4512c99f5b9c264d7d", - "sha256": "37e58c8e1c8437d1981725a5dcdaca7316cefbb570370cefc8d122f523b96ac0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791714168832, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\samcli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258588, - "hashes": { - "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", - "md5": "6ceca4c6a489c9b2e6073afdaae3f607", - "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", - "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722426368, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\netutils.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535084, - "hashes": { - "imphash": "14bd8d9a93b98b2479e1f6cd57b7c790", - "md5": "7cb3acb163de051169095dc6507b8977", - "sha1": "b891ebebb25655157f7c612d5763e995c86009a2", - "sha256": "45d4deb0695440d8b5e959945b3f7a773e02e2ab305e316123a1064fc1905402" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791703945216, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\msls31.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257535, - "hashes": { - "imphash": "bf738a2fc0ab0601eea36f35e4cbcd27", - "md5": "0bee002c68e28ce6da161dcf1376d7d7", - "sha1": "d5cc3bec12c801e11217acc6927e1e6e401fe208", - "sha256": "1d4ee0b9ce22d139478008d5591b8c9f027c235cba601f95a96547cf98159d4b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791631134720, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\authui.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258007, - "hashes": { - "imphash": "76801e47683b36a4115dbe046717edbe", - "md5": "b3bfbd758506ecb50c5804aaa76318f9", - "sha1": "bf6c922467347a6690eb19c5e82be09b3295778b", - "sha256": "34e079a6ab2d41d1e0b3887b6ae31c43941061b7176fff2801c3f465c2c89578" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791630020608, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTUI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257999, - "hashes": { - "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", - "md5": "3f9f2afa135f0663946a006dd5ffd897", - "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", - "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760896000, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258373, - "hashes": { - "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", - "md5": "884415bd4269c02eaf8e2613bf85500d", - "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", - "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791759060992, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSASN1.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258922, - "hashes": { - "imphash": "75124ca243f494ff6127697f3ebc418a", - "md5": "5fada8b707318e1bd63a7e2b81e6c8cb", - "sha1": "c5ad1c9bbc2f565237a144b9cf44711dfcf65ea5", - "sha256": "2590e88cab52fcc1b24cb262d293131c6280a5f234e0c130e77aa8697efa3b5f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791793401856, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\urlmon.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258980, - "hashes": { - "imphash": "248b27a31ddf696c2e3bfe6aed9c3eba", - "md5": "f6c5302e1f4813d552f41a0ac82455e5", - "sha1": "f0ec3ad7e90f559d1bc9b8849cf5668cafba2031", - "sha256": "e3ebf44621efc6381baae0f0efc13c356dcb6ee31bb258137edb3cc3e18549b5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791786455040, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WININET.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258097, - "hashes": { - "imphash": "f6db6123d8a383f58cf318d00d2e7d1d", - "md5": "5180380d353277d395d3b36d790aa93e", - "sha1": "d5622ec5d922233867422d1e143969e226bb9a1c", - "sha256": "89b894eccf65704d00d30ea3bd45b184bfab8345b779f9ae2be66b9fc7226f72" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791780032512, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\iertutil.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535234, - "hashes": { - "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", - "md5": "94e026870a55aaeaff7853c1754091e9", - "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", - "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791743004672, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\VERSION.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259004, - "hashes": { - "imphash": "da0bcac0c5f9dc653d00eecd5fb1c801", - "md5": "0d9764d58c5efd672b7184854b152e5e", - "sha1": "99d78db040987c69b6a70a42af86641ba0413956", - "sha256": "9827b43dabbec39ab2e2294408d9c5304ef27a684903c5234c6070387723d49e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791758209024, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINSTA.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535280, - "hashes": { - "imphash": "af1203c1d6d810c97729856780869b12", - "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", - "sha1": "c53e005cd04d99331ce3114ac119256133202313", - "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791683301376, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINMM.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258936, - "hashes": { - "imphash": "7e9874f9ecf2191b91f9a4dfa37f2ba1", - "md5": "1473768973453de50dc738c2955fc4dd", - "sha1": "7b046f6070844e3bc7deae115a1dfe5825030513", - "sha256": "14bc5da2442cb726acc1f277ddbeccf5d61e3a0a3e083a55a0bb610191e35220" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791648239616, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wdmaud.drv", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535081, - "hashes": { - "imphash": "086996ef0b01a463f114deb5244861b9", - "md5": "8560fffc8eb3a806dcd4f82252cfc8c6", - "sha1": "7562bbb63b0db6e4986ebdb86495c4fe284a1eaa", - "sha256": "cc27bc092369a89d6147b16568fedeb68b584d5738cd686c31f7fae22ed17b3b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 1968373760, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ksuser.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534742, - "hashes": { - "imphash": "690cce63d22e22d9aa225c4a9290b2c4", - "md5": "78a1e65207484b7f8d3217507745f47c", - "sha1": "3542a591e9c97b48739f69e2a193dff461ea097c", - "sha256": "35f413adb9d157f3666dd15dd58104d629cd9143198a1ab914b73a4a3c9903dd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791718625280, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\AVRT.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257517, - "hashes": { - "imphash": "64661addcde8896487dcc7cd32a4eda9", - "md5": "dc220ae6f64819099f7ebd6f137e32e7", - "sha1": "5707f15b666c7d3b07dfce9dac665a2e45c39113", - "sha256": "b8fe13b859fa83500dd95637fa6d4a5b8392c2a363e41d014d3b5374f636e1de" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791659118592, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\AUDIOSES.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534992, - "hashes": { - "imphash": "3bf8d3fd03f9d07b7821df4b1da2be9d", - "md5": "1b7c3a37362c7b2890168c5fc61c8d9b", - "sha1": "78ba8d596c0ac4c38acb498416957891570a2a1d", - "sha256": "03727930e5bb5f9d91bab901fc9a2e3b795d68e2aee6a2cc3477f356c45a9c54" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791728062464, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\msacm32.drv", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534991, - "hashes": { - "imphash": "9611d7fd4fe3c571fbf1db3d718ba82c", - "md5": "10ac5ce9f78dc281a1bbd9b8cc587b8a", - "sha1": "207582f9d9bec00a932fba886d575ee5b6502d42", - "sha256": "72288c0a88916d3c3828dbd948dbdb0928f26106319f8e60102d6c9004514d60" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791716659200, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSACM32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535038, - "hashes": { - "imphash": "5a8ee2f48e79ef6ac4b33366d6642b50", - "md5": "ca2a0750ed830678997695ff61b04c30", - "sha1": "a27df990dde73e72bb02105f8af689a1ac324e59", - "sha256": "e84860cd97aa3c4565abb2d5d406a5c42b1ad2d8ba1b8cf81fe564d91f15f976" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791727996928, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\midimap.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 07:10" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247535256, - "hashes": { - "imphash": "04a5e982c134477b1914ebcd7b6436d0", - "md5": "d6f630c1fd7f436316093ae500363b19", - "sha1": "197897b74f411040ba7df41a5bd3c1030661b904", - "sha256": "73a94b4938430396ea4240b1a6676b4e6c19cfaf8c52efb9a69b4b2175a86307" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791727734784, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\XmlLite.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258889, - "hashes": { - "imphash": "8181b1ef70ff3d29984db497f92a2662", - "md5": "c3761661c17c2248a9379a8fb89e3de1", - "sha1": "d2ea41e02bbaa77f8b93b09277596a34cdae8853", - "sha256": "ce3477fa2b4058eb80739e0161fe957545f13cf86d313f6422732901d35f75f2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791617568768, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\stobject.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257641, - "hashes": { - "imphash": "fbe995ff97475c5aa2777a4bc493d4b1", - "md5": "f832eeea97cdda1af577e721f652a0d1", - "sha1": "48f227a1e10d49edf56e3559e05c871bc285c199", - "sha256": "ebbb7ca199ba4df231123922bd310d43de0104c6185b70fe0281b938d5336f2e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791616782336, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\BatMeter.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535260, - "hashes": { - "imphash": "5d8fff13bf206e589cae241fc7f4d464", - "md5": "bd3674be7fc9d8d3732c83e8499576ed", - "sha1": "cb96190d6366e11dd6e6b48f4cdc4332015cfa67", - "sha256": "e6716a5895d629263a4d21959f48840429ab6f4b55a5fa2663ee5e86c9ca2bf1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791727538176, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WTSAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259008, - "hashes": { - "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", - "md5": "eb3f9c2de1236b5d46b2291d82970e43", - "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", - "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791759781888, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINTRUST.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534970, - "hashes": { - "imphash": "8accd78cb7feca81ac448f0485be30dc", - "md5": "4166f82be4d24938977dd1746be9b8a0", - "sha1": "5174036d781677f5444d9a23079baf18f4bbda44", - "sha256": "24121751b7306225ad1c808442d7b030def377e9316aa0a3c5c7460e87317881" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791730159616, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\es.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257970, - "hashes": { - "imphash": "8c20d7b93902b8c193a7fc1b4b58e9aa", - "md5": "42a9cb6906d9a8bedc83b57163e62924", - "sha1": "50e5592460d91205e912d55f60a2dd3cc4da4329", - "sha256": "e18522d3137653140757829efbfce624a5baa5842e2bba10b9e5ab6c84be49e1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791614619648, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dxp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258826, - "hashes": { - "imphash": "1df61af51096e9bbbdc1834405984e4c", - "md5": "2d2a6ec8ead30ec3ace2fd6fb1b3e122", - "sha1": "1e77948378474e155307d290b998994f720206bf", - "sha256": "e7ea375a3bde8fc764cb09524344370b9ee25f98ad6c83e6f37a569eb8d277d6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791614160896, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\prnfldr.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259000, - "hashes": { - "imphash": "2f59265cb3df847423b60921203365be", - "md5": "0015acfbbdd164a8a730009908868ca7", - "sha1": "671c084513461900550bd49d3dccb58bdbe05adf", - "sha256": "e1ff243ad2cf959fab81efe701592414991c03416ff296adc93906e76b707c4d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791654924288, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINSPOOL.DRV", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535225, - "hashes": { - "imphash": "3d49b728c9125f451e7f2f215e9d3bbb", - "md5": "2bc7c9fd0a9f2c9afc373f3ad1ee3891", - "sha1": "1b7c6960a72509d1f408022d791c6a65acb2a75d", - "sha256": "0a82a475301202791a7c10f978f952eab7db146a702d4ea67e24e2c98bc19638" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791648108544, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\Syncreg.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258789, - "hashes": { - "imphash": "c5c69e7d20ca382ddbc49947d651a8e7", - "md5": "10f815be90a66aafc6c713d1bd626064", - "sha1": "3e21f173a6bcdf629c442d89abadc48137c61bb2", - "sha256": "01139fc04bc53594296f6a0e16b8d20b940f64bc8119fe7705c03c4947958f39" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791612325888, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\pnidui.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258791, - "hashes": { - "imphash": "6437e4761b1278fdecf142a679216f7b", - "md5": "b9f0a4020aa98b7a20287bf7fe99a1fd", - "sha1": "1f28ac7493ce972b45de191780a190504d1d0c44", - "sha256": "21138f161eeea46198890c7a2d073f2c82829e15676131bdad9f237edc7477cd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791612194816, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\QUtil.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535239, - "hashes": { - "imphash": "deeb658dae29d8df1c8dbb08f06801b0", - "md5": "3c073b0c596a0af84933e7406766b040", - "sha1": "06185554c38353211430f5f075c490558e46fb3d", - "sha256": "4698bba678f553e15ad4b07ad7fb236281f872defee97bfd637114476c8f97b3" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791752769536, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wevtapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258586, - "hashes": { - "imphash": "97bb6eee9e1ea3e5751077b655b54de5", - "md5": "a42f2c1eb3b66c54fb3c7b79d30c1a6d", - "sha1": "cee705de8d3dfcc9e2a14e0249d6be61fcd54a18", - "sha256": "a63836db3b01835dc1311526a95198d6ebccb1dc9ddafbc38ec36c128cdb98b9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791609507840, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\netshell.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258138, - "hashes": { - "imphash": "0bc508389b6b5577cf3cca214ca523a7", - "md5": "2b81776da02017a37fe26c662827470e", - "sha1": "8c85389640bea73a009d83079f8b4c963697035f", - "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791727210496, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535145, - "hashes": { - "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", - "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", - "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", - "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791763648512, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NSI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535281, - "hashes": { - "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", - "md5": "4c9210e8f4e052f6a4eb87716da0c24c", - "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", - "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791726948352, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\WINNSI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258583, - "hashes": { - "imphash": "7e01da4b2a8806d2944a3ff2e271958f", - "md5": "2df36f15b2bc1571a6a542a3c2107920", - "sha1": "660a44b660d8e57ef7d7efbbc006ac390a7901fa", - "sha256": "a918f1ee95269df973421af2f5713deeaf15ef0f77baa7e8c515ffb69896fb7a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791735992320, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\nlaapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534791, - "hashes": { - "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", - "md5": "4cbcc37856ea2039c27a2fb661dda0e5", - "sha1": "cc666108d34168420a1d1942dda1e090154c7296", - "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791723999232, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258981, - "hashes": { - "imphash": "1ec347d133df2fe4da3e5f8944caeae8", - "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", - "sha1": "d48aafa576b40a5e386e609bba1010472551154a", - "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791788486656, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WS2_32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:35" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257492, - "hashes": { - "imphash": "f5d0254c5435291634c8b7357aa536bd", - "md5": "92dbf0a4c9239169010fc6e07859c82e", - "sha1": "634d8c12de82c422dfeba8f9a5fa84d03b7bcd35", - "sha256": "00fb2cf4420f0ffef519afe732a708cf249640121e2a891caa164313abd7f804" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791608655872, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\Actioncenter.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534790, - "hashes": { - "imphash": "f17020f0f66b64fbdf51c75b43f3729d", - "md5": "f568f7c08458d69e4fcd8675bbb107e4", - "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", - "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791723868160, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257996, - "hashes": { - "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", - "md5": "52d3d5e3586988d4d9e34acaac33105c", - "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", - "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791746412544, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\credssp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258110, - "hashes": { - "imphash": "9ba63732839305b29ebe539451171b45", - "md5": "8130391f82d52d36c0441f714136957f", - "sha1": "e2bb102565986a42d0a43bd3f337f94dbe54eead", - "sha256": "1fd4fee7caf63e450f27729e07ea2a2f09288629fd872dbb6e8710b16d8dbd5d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791608131584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\imapi2.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258038, - "hashes": { - "imphash": "e070eff3751fea77ccd424469a9a07e6", - "md5": "6a5c1a8ac0b572679361026d0e900420", - "sha1": "fd9241fdda4b9d08ff1e205f9d5f78923ab884d8", - "sha256": "b5e693b48b462e97738a3d4e58b60846159649eb15f4d11074b4bc107cc88562" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791607345152, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\hgcpl.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535139, - "hashes": { - "imphash": "1e00eab90042e5099339cb82841b434a", - "md5": "f7073c962c4fb7c415565dde109de49f", - "sha1": "671c2e910ff954700b3a1f80608423697895c0a9", - "sha256": "781e7088dcefbc34a808c3e7da41a56112b3f23abe9f54b5ef4d5cd9cd016b1d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791680090112, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\npmproxy.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258777, - "hashes": { - "imphash": "d402ebf00a5cffa66b6682780c262457", - "md5": "6b851e682a36453e1b1ee297ffb6e2ab", - "sha1": "3dc85ba13d1f720e8039865817bcc65dc0f1d35b", - "sha256": "a641d3fd9463c4788b45b8b5584ea4489c1f63a71b4b595ae85ff3482cd5eda6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791606099968, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\QAgent.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534818, - "hashes": { - "imphash": "09bf801b36364c598a2a8fdff079932c", - "md5": "cd1b5ad07e5f7fef30e055dcc9e96180", - "sha1": "4e835fdadd0c67fde44e385f69a1014d6ad11f4f", - "sha256": "63c58551f32b0b09377f64a6ae1fa81af93b8a707a57a8c18722086906ad3046" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791745167360, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DEVRTL.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258413, - "hashes": { - "imphash": "08a9b8e4e42e5520be662b4663289747", - "md5": "1eac1a8ca6874bf5b15e2efb9a9a7b86", - "sha1": "30cff16f17833aa042d8b6cc32d86c4a39c77c67", - "sha256": "e15ed4fefc3010c213694331ddfdc03767682325c898d773ab243e2dc8b08461" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791633100800, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MsftEdit.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258939, - "hashes": { - "imphash": "6ac24d44010fe2db4d5e9e0651b7a3cf", - "md5": "f9959237f106f2b2609e61a290c0652e", - "sha1": "7f7c92c4fe8244a7deac7fed4d5576042bfba29e", - "sha256": "fccc12e5aae1773bf87b1c4bce71d017db1a5a7ac189559058ea1ecc72075a82" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791628709888, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\werconcpl.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535233, - "hashes": { - "imphash": "cce75846cdf9d74f85e44fc728ee8440", - "md5": "9689a9c7f7c2a1a423cda2c3b43fff65", - "sha1": "ebe6b3066634239a4f62780a8a6e27f33b0afc87", - "sha256": "914ad22d98975578bc14d821f72e8dfce24f2092f9c299d24ebbaf5408fe8b8b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791646994432, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wer.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257998, - "hashes": { - "imphash": "6e52c6bdbfd3d257064382284bd4f59c", - "md5": "1484b9ebf567346582de571b0e164ae0", - "sha1": "6b87eb7005fe659f976732307fe12b96747dfc8d", - "sha256": "9862bf22b2e32dabe7a82acee5b4ea1f0a93bdc3c71b20a6a4e568cccd76a7a6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791628382208, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\framedynos.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535235, - "hashes": { - "imphash": "64b92457c7762d63f903189058d583ca", - "md5": "7e591867422dc788b9e5bd337a669a08", - "sha1": "3bd1b2a2271d6756351d9b4876193efd8a845da0", - "sha256": "484e6bccdf7adce9a1aacad1bc7c7d7694b9e40fa90d94b14d80c607784f6c75" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791628251136, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wercplsupport.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258497, - "hashes": { - "imphash": "2814c7c81c59e8a913c288a8c72a9c1c", - "md5": "5c29199c9f0ede64f17f268084ec4392", - "sha1": "a767e893427f9b24fe06cbb3a155dd54162a402a", - "sha256": "ea9fd588a8c89399dd287399a912b356a4234cfe418239b227d255749f5ddde2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791652564992, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\msxml6.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:35" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247534858, - "hashes": { - "imphash": "2ab209fb6a68c8e15483324a442c1c4c", - "md5": "809ae7d4ace06bbcf621e5c504bf6fc8", - "sha1": "c0e2202d99db67a9efa6c67226410ad3c7b657a6", - "sha256": "0baab89fb57468f27446947d75cbd6ddfc92d9b8f040144a12656803b2f7bf65" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722491904, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\hcproviders.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:36" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258095, - "hashes": { - "imphash": "328b1cd6b239c7c01904019379bede4b", - "md5": "77a8a1791145710c7efe76ea82bf0763", - "sha1": "e421318d7b6d66c9214722c736f5b3d4207acf74", - "sha256": "9488b96e065299d273f9dcc82aa1203b48f0038d4f27324da19e9bfd925ca737" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791627726848, - "mapped_size": 0, - "path": "C:\\Program Files\\Internet Explorer\\ieproxy.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258892, - "hashes": { - "imphash": "ec50511b4e46da8b1a467667a84f8047", - "md5": "9cead32e79a62150fe9f8557e58e008b", - "sha1": "4cbd17b96209b5e2da683382e05cef55f48d6107", - "sha256": "afe4c1725ee94d7de0749ae1495a4e5cc33c369f29b2a589da66ffe27ff9777e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791757357056, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SXS.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258896, - "hashes": { - "imphash": "d75a096a9c47b1fd385a268e9c6f2f68", - "md5": "24f4b480f335a6c724af352253c5d98b", - "sha1": "a388cc90338cec7b5eec66e921599de0cc275a2b", - "sha256": "011413b236cad7b78ce0a0eec3e3085d48c7576a3205d025ba6ebfdf590538e4" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791660232704, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\thumbcache.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247527581, - "hashes": { - "imphash": "be693a67b5b884d7609eaf574ba00955", - "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", - "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", - "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2009726976, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\PSAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:36" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258093, - "hashes": { - "imphash": "39d5c5468a8e87803234025334b9dc09", - "md5": "f1115299b9f4c983bc4523b33e3a506c", - "sha1": "639946c23b630798284a92117882990ea31d702e", - "sha256": "01a1d8b3e5cf727f92f4a43d5c5f81022127d58a850d29d3f084ad411efbc9dd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791578836992, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ieframe.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535131, - "hashes": { - "imphash": "84786d42c8a896b9a971b3c9eb8feb4c", - "md5": "9869a4a10b90546dbd56947839fb4b87", - "sha1": "5d9642f314d62dc5834cbd7950230bad3f85d982", - "sha256": "66c84dcf39d9f6896d55b1623184a028891a0a98abe6044de1d4bad60c3c8d72" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791591157760, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\OLEACC.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258887, - "hashes": { - "imphash": "e6c083bfcedd032db2c66cd04f74c620", - "md5": "4e81439902079c348b61d7ff027fe147", - "sha1": "4386a5580b459aa4a0701addb753c3f9bf3da6f7", - "sha256": "e652c9ec77745504689532b3c394959f9b5bc29e9c008cb9ee09cda818514fa9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791658594304, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\StructuredQuery.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258589, - "hashes": { - "imphash": "45badcf3f18f69f9f72af5245898d1cb", - "md5": "405f4d32d2185f1f1bd753d8eeaffb3a", - "sha1": "68bc45bac1e1584c789a6b3134bee5a2540f3e56", - "sha256": "cac42c3e09c43be96592b670d70821386014db22d8239a9cfb9e33e54fb5c3d5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791656890368, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NetworkExplorer.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258495, - "hashes": { - "imphash": "cdb39fb77293fb1bb86c2d5980ea8e88", - "md5": "022b05cee68d7826a93aedb4f1eb369e", - "sha1": "e7055d6cacb8c3fae06dc10ad480c8e6b8b7b592", - "sha256": "3b864d1471ed0949b02f1fa251b987185abeaddcbecd44efdbb6a7b7f03ca8bc" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791625760768, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\msxml3.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258914, - "hashes": { - "imphash": "6b6c83729fa36b04c301494d1eb07752", - "md5": "bb074f35b49eb2ea416962b596281e1e", - "sha1": "355fdb9e66ffad42144b1b6ec4d8eb357ed05d52", - "sha256": "e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791623598080, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\systemcpl.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258594, - "hashes": { - "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", - "md5": "764908fe1fa96f93c95b1b67a0fced29", - "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", - "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722557440, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\NETAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259010, - "hashes": { - "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", - "md5": "3c91392d448f6e5d525a85b7550d8ba9", - "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", - "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791722295296, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wkscli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534877, - "hashes": { - "imphash": "3e340766bf7f54e3e9746a945d4dcb71", - "md5": "a77be7cb3222b4fb0ac6c71d1c2698d4", - "sha1": "e68b4e0058fb130c765e5aa98af36e26563809db", - "sha256": "73566223914bf670df6b5931fa213e546713531b10391ed65b5256bbd7abde7f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791735926784, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\DSROLE.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258758, - "hashes": { - "imphash": "c888173aa662e52d4b6194ed15819a13", - "md5": "db76db15efc6e4d1153a6c5bc895948d", - "sha1": "00dc6172c4507def32e4a269c08e76ab09abc3fe", - "sha256": "71ddf02c7ee2df66a08f1a2a08da39802c354624880a2be93a706ea7476422a3" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791690641408, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SPPC.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 07:10" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247535243, - "hashes": { - "imphash": "9484a9d0a0e3ef20592c9f66412400a6", - "md5": "666a60f6f5e719856ff6254e0966eff7", - "sha1": "10258e708443bd21997e7a977b5ee36bd758e368", - "sha256": "58c072e7e215991e19c1ca062c476081982f7b9f039714539ae7feb4981c200f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791716200448, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wbem\\wbemprox.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 07:10" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258938, - "hashes": { - "imphash": "03a62984ba62616e18740e69949df533", - "md5": "7db5aa22a8a8e5c2d335f44853c1f6de", - "sha1": "add6f6e2b6df5f571d06db724de5c7badad4e775", - "sha256": "a734a20357026c42950394682a52cbc3af956d09f1949e1b4e95467e999bc428" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791690051584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wbemcomn.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535244, - "hashes": { - "imphash": "6178a249d43f815225b0a9205f1f4f70", - "md5": "718b6f51ab7f6fe2988a36868f9ad3ab", - "sha1": "7cc84a20d6597f58eebabea5489d72239c6e746b", - "sha256": "76141b4e94c2766e2c34cef523092948771a7893212efadbe88d2171b85ff012" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791683170304, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wbem\\wbemsvc.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 07:10" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247534846, - "hashes": { - "imphash": "c93ca8ec08e734d1b95c2a2d28884c47", - "md5": "a3f5e8ec1316c3e2562b82694a251c9e", - "sha1": "f0cdc2b44e609950ee97d9967c7459055a2af1a8", - "sha256": "f3dc6aa6a9d3b5bbc730668fc52c1d4bb5d515d404578bddd3d4869a7ed58822" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791688675328, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wbem\\fastprox.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535150, - "hashes": { - "imphash": "29f9ce11d25836037034b49be93790c6", - "md5": "ee26d130808d16c0e417bbbed0451b34", - "sha1": "962d52fb4d8f9965c5fc11a98f2f9048a2a5d918", - "sha256": "4886dce4faef146a40babd492a8000a2022fea542a6135a9bafd4cd09297b4e5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791688478720, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NTDSAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258103, - "hashes": { - "imphash": "ba45ab39c8fb40e4076d27cf8e0f4180", - "md5": "b8509dcfcfd577f568be4026bfd982c0", - "sha1": "1923c5995faf94d9b1767aca04e3134a5cedc07a", - "sha256": "e3608e6de15c400fa437349e7295fef10a1a0213ca3b532a58964b8c89749110" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791788355584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\imagehlp.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - } - ], - "name": "explorer.exe", - "parent_exe": "", - "parent_name": "", - "pid": 784, - "ppid": 704, - "primary_token": { - "domain": "WIN-Q3DOP1UKA81", - "integrity_level": 12288, - "integrity_level_name": "high", - "privileges": [ - { - "description": "Adjust memory quotas for a process", - "enabled": false, - "name": "SeIncreaseQuotaPrivilege" - }, - { - "description": "Manage auditing and security log", - "enabled": false, - "name": "SeSecurityPrivilege" - }, - { - "description": "Take ownership of files or other objects", - "enabled": false, - "name": "SeTakeOwnershipPrivilege" - }, - { - "description": "Load and unload device drivers", - "enabled": false, - "name": "SeLoadDriverPrivilege" - }, - { - "description": "Profile system performance", - "enabled": false, - "name": "SeSystemProfilePrivilege" - }, - { - "description": "Change the system time", - "enabled": false, - "name": "SeSystemtimePrivilege" - }, - { - "description": "Profile single process", - "enabled": false, - "name": "SeProfileSingleProcessPrivilege" - }, - { - "description": "Increase scheduling priority", - "enabled": false, - "name": "SeIncreaseBasePriorityPrivilege" - }, - { - "description": "Create a pagefile", - "enabled": false, - "name": "SeCreatePagefilePrivilege" - }, - { - "description": "Back up files and directories", - "enabled": false, - "name": "SeBackupPrivilege" - }, - { - "description": "Restore files and directories", - "enabled": false, - "name": "SeRestorePrivilege" - }, - { - "description": "Shut down the system", - "enabled": false, - "name": "SeShutdownPrivilege" - }, - { - "description": "Debug programs", - "enabled": false, - "name": "SeDebugPrivilege" - }, - { - "description": "Modify firmware environment values", - "enabled": false, - "name": "SeSystemEnvironmentPrivilege" - }, - { - "description": "Bypass traverse checking", - "enabled": true, - "name": "SeChangeNotifyPrivilege" - }, - { - "description": "Force shutdown from a remote system", - "enabled": false, - "name": "SeRemoteShutdownPrivilege" - }, - { - "description": "Remove computer from docking station", - "enabled": false, - "name": "SeUndockPrivilege" - }, - { - "description": "Perform volume maintenance tasks", - "enabled": false, - "name": "SeManageVolumePrivilege" - }, - { - "description": "Impersonate a client after authentication", - "enabled": true, - "name": "SeImpersonatePrivilege" - }, - { - "description": "Create global objects", - "enabled": true, - "name": "SeCreateGlobalPrivilege" - }, - { - "description": "Increase a process working set", - "enabled": false, - "name": "SeIncreaseWorkingSetPrivilege" - }, - { - "description": "Change the time zone", - "enabled": false, - "name": "SeTimeZonePrivilege" - }, - { - "description": "Create symbolic links", - "enabled": false, - "name": "SeCreateSymbolicLinkPrivilege" - } - ], - "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", - "type": "tokenPrimary", - "user": "Administrator" - }, - "sha1": "4583daf9442880204730fb2c8a060430640494b1", - "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", - "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted", - "threads": [ - { - "create_time": 1542341500, - "entrypoint": 4279023504, - "thread_id": 1920, - "up_time": 437 - }, - { - "create_time": 1542341500, - "entrypoint": 2008002240, - "thread_id": 1812, - "up_time": 437 - }, - { - "create_time": 1542341500, - "entrypoint": 8791783440744, - "thread_id": 2472, - "up_time": 436 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2468, - "up_time": 436 - }, - { - "create_time": 1542341500, - "entrypoint": 8791790810108, - "thread_id": 2464, - "up_time": 436 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2476, - "up_time": 435 - }, - { - "create_time": 1542341500, - "entrypoint": 2008021952, - "thread_id": 1800, - "up_time": 434 - }, - { - "create_time": 1542341500, - "entrypoint": 2008021952, - "thread_id": 2516, - "up_time": 433 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2500, - "up_time": 433 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 1068, - "up_time": 432 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2676, - "up_time": 428 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2660, - "up_time": 428 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2748, - "up_time": 428 - }, - { - "create_time": 1542341500, - "entrypoint": 8791729529348, - "thread_id": 2636, - "up_time": 428 - }, - { - "create_time": 1542341500, - "entrypoint": 8791792141832, - "thread_id": 2732, - "up_time": 424 - }, - { - "create_time": 1542341500, - "entrypoint": 8791783440744, - "thread_id": 1472, - "up_time": 419 - }, - { - "create_time": 1542341500, - "entrypoint": 2008021952, - "thread_id": 2220, - "up_time": 415 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 2332, - "up_time": 104 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 3712, - "up_time": 99 - }, - { - "create_time": 1542341800, - "entrypoint": 8791792141832, - "thread_id": 2080, - "up_time": 85 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 4012, - "up_time": 81 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 4060, - "up_time": 81 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 520, - "up_time": 77 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 3236, - "up_time": 74 - }, - { - "create_time": 1542341800, - "entrypoint": 2008021952, - "thread_id": 3260, - "up_time": 72 - }, - { - "create_time": 1542341900, - "entrypoint": 8791792141832, - "thread_id": 3680, - "up_time": 56 - }, - { - "create_time": 1542341900, - "entrypoint": 2008021952, - "thread_id": 3708, - "up_time": 55 - }, - { - "create_time": 1542341900, - "entrypoint": 2008021952, - "thread_id": 2512, - "up_time": 55 - }, - { - "create_time": 1542341900, - "entrypoint": 8791792141832, - "thread_id": 3748, - "up_time": 54 - }, - { - "create_time": 1542341900, - "entrypoint": 8791690668104, - "thread_id": 3872, - "up_time": 51 - }, - { - "create_time": 1542341900, - "entrypoint": 8791683305488, - "thread_id": 1016, - "up_time": 26 - }, - { - "create_time": 1542341900, - "entrypoint": 2008021952, - "thread_id": 3520, - "up_time": 26 - }, - { - "create_time": 1542341900, - "entrypoint": 8791792141832, - "thread_id": 3992, - "up_time": 13 - }, - { - "create_time": 1542341900, - "entrypoint": 8791760904360, - "thread_id": 3604, - "up_time": 12 - } - ], - "unique_pid": 35, - "unique_ppid": 0, - "up_time": 437, - "user": "Administrator" - } - }, - "captured_file": false, - "file_name": "C:\\Users\\Administrator\\Downloads\\endpointpe-blacklist-test.exe", - "file_operation": "open", - "file_owner": "Administrators", - "file_size": 188416, - "hashes": { - "imphash": "835d619dfdf3cc727cebd91300ab3462", - "md5": "4ace3baaa509d08510405e1b169e325b", - "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", - "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" - }, - "is_signature_trusted": false, - "malware_classification": { - "compressed_malware_features": { - "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", - "decompressed_size": 27831, - "encoding": "zlib" - }, - "identifier": "endpointpe", - "prevention_threshold": 0.66, - "score": 1, - "threshold": 0.66, - "version": "3.0.33" - }, - "pid": 784, - "ppid": 704, - "signature_signer": "", - "temp_file_path": "C:\\Windows\\TEMP\\581ac9e2-e9ea-499e-8ec6-d7eed985b6c3", - "timestamp": { - "accessed": 1542341100, - "created": 1542341100, - "modified": 1542341100 - }, - "user_blacklisted": false - }, - "event_subtype_full": "file_classification_event", - "event_type_full": "alert_event", - "metadata": { - "beta_alert": false, - "chunk_id": 0, - "collection_time": 1542341900, - "correlation_id": "9a754fa1-f526-4390-9adf-640cae174f66", - "destination_plugin": "send", - "final": true, - "is_alert": true, - "key": "fileClassificationEventResponse", - "message_id": "7b97295f-3aae-4dc8-944f-039f1064c55b", - "origination_task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", - "os_type": "windows", - "priority": 80, - "result": { - "local_code": 0, - "local_msg": "Success" - }, - "semantic_version": "3.50.0", - "sensor_version": "3.50.0", - "task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", - "type": "prevention" - }, - "opcode": 8, - "serial_event_id": 141336, - "timestamp": 132140205750594450, - "timestamp_utc": "2019-09-27 01:16:15Z" - }, - "event": { - "action": "file_classification_event", - "dataset": "esensor", - "kind": "alert", - "module": "endgame" - }, - "host": { - "hostname": "HD-c15-bc09190a", - "ip": "10.179.244.14", - "name": "HD-c15-bc09190a", - "os": { - "name": "Windows", - "platform": "windows", - "version": "6.1" - } - }, - "labels": { - "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", - "endpoint_id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f" - }, - "user": { - "group": { - } - } - }, - "type": "_doc" - } - }, - { - "type": "doc", - "value": { - "id": "9ONEc20BW148Je-ro712", - "index": "test_alert_data", - "source": { - "@timestamp": 1542346435000, - "agent": { - "id": "c89dc040-2350-4d59-baea-9ff2e369136f", - "type": "endgame", - "version": "3.0.0" - }, - "ecs": { - "version": "1.1.0" - }, - "endgame": { - "data": { - "alert_details": { - "acting_process": { - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", - "create_time": 1542345900, - "domain": "NT AUTHORITY", - "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", - "hashes": { - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" - }, - "imphash": "c30d230b81c734e82e86e2e2fe01cd01", - "is_sensor": false, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "modules": [ - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424710, - "hashes": { - "imphash": "c30d230b81c734e82e86e2e2fe01cd01", - "md5": "1f2d082566b0fc5f2c238a5180db7451", - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 5354225664, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 05:28" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258681, - "hashes": { - "imphash": "d41d8cd98f00b204e9800998ecf8427e", - "md5": "3556d5a8bf2cc508bdab51dec38d7c61", - "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", - "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2001141760, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258315, - "hashes": { - "imphash": "9165b02c931d76a9b666d8d42128111b", - "md5": "7a6326d96d53048fdec542df23d875a0", - "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", - "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 1999962112, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\kernel32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258316, - "hashes": { - "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", - "md5": "da68c291b4ef2dec9c5963266bcae454", - "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", - "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791752769536, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\KERNELBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258929, - "hashes": { - "imphash": "2cb501375ed127591bf5cfee7f1e52fe", - "md5": "fe70103391a64039a921dbfff9c7ab1b", - "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", - "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 1998913536, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USER32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258001, - "hashes": { - "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", - "md5": "1084aa52ccc324ea54c7121fa24c2221", - "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", - "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791766269952, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\GDI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534943, - "hashes": { - "imphash": "919110853c18aa198ad129945337b1dd", - "md5": "d202223587518b13d72d68937b7e3f70", - "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", - "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791758929920, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\LPK.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258933, - "hashes": { - "imphash": "17bf46cf6bf6c8cae48be5b75615a353", - "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", - "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", - "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791760175104, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\USP10.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535038, - "hashes": { - "imphash": "8c99b1c0f6cf68b07336751f460f1dba", - "md5": "7319bb10fa1f86e49e3dcf4136f6c957", - "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", - "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791765286912, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\msvcrt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534699, - "hashes": { - "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", - "md5": "6df46d2bd74e3da1b45f08f10d172732", - "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", - "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791761027072, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ADVAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535198, - "hashes": { - "imphash": "b8ba136689cdc8d8b25fc04902f39a22", - "md5": "83404dcbce4925b6a5a77c5170f46d86", - "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", - "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791789010944, - "mapped_size": 0, - "path": "C:\\Windows\\SYSTEM32\\sechost.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258798, - "hashes": { - "imphash": "46876e4adb924a616ddbbb1992d61257", - "md5": "0611473c1ad9e2d991cd9482068417f7", - "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", - "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791770726400, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\RPCRT4.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424472, - "hashes": { - "imphash": "a24cfb84e3006f3634d5b09aed45c264", - "md5": "56e6aa240cf6503265fbe5cf4d5889e8", - "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", - "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791706042368, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1534424450, - "hashes": { - "imphash": "f12460104bb4725d7964cf569f727f61", - "md5": "58017789505c114426b63c775debc12b", - "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", - "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791701979136, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1438071093, - "hashes": { - "imphash": "341d1190606326748a708433d5d0cc36", - "md5": "0a2be3ed5a71082e5f9296f79323a639", - "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", - "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791700799488, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\libprotobuf.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Code Signing PCA", - "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", - "subject_name": "Microsoft Corporation" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "10/04/2013 22:49" - }, - "more_info_link": "http://microsoft.com", - "program_name": "msvcp120.dll", - "publisher_link": "" - }, - "compile_time": 1380942867, - "hashes": { - "imphash": "d0a59246eab41d54812cd63c2326e1f1", - "md5": "46060c35f697281bc5e7337aee3722b1", - "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", - "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791700078592, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSVCP120.dll", - "signature_signer": "Microsoft Corporation", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Code Signing PCA", - "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", - "subject_name": "Microsoft Corporation" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "10/04/2013 22:49" - }, - "more_info_link": "http://microsoft.com", - "program_name": "msvcr120.dll", - "publisher_link": "" - }, - "compile_time": 1380942847, - "hashes": { - "imphash": "8f18e22935ef8b336e246ee763fbec97", - "md5": "9c861c079dd81762b6c54e37597b7712", - "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", - "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791699095552, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSVCR120.dll", - "signature_signer": "Microsoft Corporation", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258732, - "hashes": { - "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", - "md5": "6c60b5aca7442efb794082cdacfc001c", - "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", - "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791767121920, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\ole32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258736, - "hashes": { - "imphash": "774fed8966de60d3af2dd9070df5be6f", - "md5": "42f05f980f164e084db65b2e8cd8430f", - "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", - "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791769808896, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\OLEAUT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258981, - "hashes": { - "imphash": "1ec347d133df2fe4da3e5f8944caeae8", - "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", - "sha1": "d48aafa576b40a5e386e609bba1010472551154a", - "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791771971584, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WS2_32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535145, - "hashes": { - "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", - "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", - "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", - "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791756898304, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NSI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258859, - "hashes": { - "imphash": "4b37cbf60127ea0550ec30e0b1c52984", - "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", - "sha1": "3b099b193abb9064e6937101d0c309f04d713882", - "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791759650816, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SHLWAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257495, - "hashes": { - "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", - "md5": "497bfeddaf3950dd909c3b0c5558a25d", - "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", - "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791725768704, - "mapped_size": 0, - "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258138, - "hashes": { - "imphash": "0bc508389b6b5577cf3cca214ca523a7", - "md5": "2b81776da02017a37fe26c662827470e", - "sha1": "8c85389640bea73a009d83079f8b4c963697035f", - "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791720460288, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535281, - "hashes": { - "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", - "md5": "4c9210e8f4e052f6a4eb87716da0c24c", - "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", - "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791720198144, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINNSI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247527581, - "hashes": { - "imphash": "be693a67b5b884d7609eaf574ba00955", - "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", - "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", - "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 2003042304, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\PSAPI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", - "subject_name": "Cybereason Inc" - }, - "cert_timestamp": { - "issuer_name": "", - "serial_number": "", - "subject_name": "", - "timestamp_string": "" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1472978395, - "hashes": { - "imphash": "3a8c832bddbba9333df28c1da212318e", - "md5": "e1c637922e34d868ebcd6ef199cf1394", - "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", - "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791698243584, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534912, - "hashes": { - "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", - "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", - "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", - "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791766073344, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\IMM32.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535018, - "hashes": { - "imphash": "b523fff180cb22465ccf191b827e9923", - "md5": "c431eaf5caa1c82cac2534a2eab348a3", - "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", - "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791761944576, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSCTF.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534874, - "hashes": { - "imphash": "621a31b25a9ef1d128ea281b3eab572b", - "md5": "0040c486584a8e582c861cfb57ab5387", - "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", - "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791719346176, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\fwpuclnt.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258848, - "hashes": { - "imphash": "cc4d63ca30fdbb90048e549782d2116a", - "md5": "858df0795cb5b4bace0f33708925a414", - "sha1": "e629ed78e6e1829263890974760dad8a431edf69", - "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791748050944, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\Secur32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258854, - "hashes": { - "imphash": "9c631776d86c9b15258c3cc2a6a7891d", - "md5": "26e716ed95dc48cf6e5ac046089366af", - "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", - "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791772299264, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\shell32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "11/29/2016 03:22" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1480418473, - "hashes": { - "imphash": "f89e0a919d52e2b37d82d27f521530cf", - "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", - "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", - "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791694901248, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258594, - "hashes": { - "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", - "md5": "764908fe1fa96f93c95b1b67a0fced29", - "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", - "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791715807232, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\NETAPI32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258588, - "hashes": { - "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", - "md5": "6ceca4c6a489c9b2e6073afdaae3f607", - "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", - "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791715676160, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\netutils.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258920, - "hashes": { - "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", - "md5": "3a9c9baf610b0dd4967086040b3b62a9", - "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", - "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791746609152, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\srvcli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259010, - "hashes": { - "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", - "md5": "3c91392d448f6e5d525a85b7550d8ba9", - "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", - "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791715545088, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\wkscli.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535234, - "hashes": { - "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", - "md5": "94e026870a55aaeaff7853c1754091e9", - "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", - "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791736254464, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\VERSION.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/18/2017 09:26" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484760175, - "hashes": { - "imphash": "b33f679b12d9d05d922e720c0e21818c", - "md5": "1e5ea729f6dc5a8aff675a45706d389d", - "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", - "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791694245888, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "11/22/2016 08:08" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1479830743, - "hashes": { - "imphash": "513a166377e008d25aa2e22983dd13ff", - "md5": "3450d998edec5cdbd03b0df09c17e02d", - "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", - "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791694114816, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/16/2017 05:34" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484573247, - "hashes": { - "imphash": "d6d5dc292fe4d710905e9f280360309d", - "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", - "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", - "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791693000704, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "01/16/2017 05:34" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1484573248, - "hashes": { - "imphash": "4e1a791e94ac955105ddfaac387de22f", - "md5": "874d6017f89a2ef255a16280ed4b1bf7", - "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", - "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791691427840, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257756, - "hashes": { - "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", - "md5": "2477a28081bdaee622cf045acf8ee124", - "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", - "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791752376320, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CFGMGR32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "DigiCert Assured ID Code Signing CA-1", - "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "09/12/2018 01:20" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1512623776, - "hashes": { - "imphash": "e2dab13fa4a67b25d3fbae65a189c521", - "md5": "627d7f1de23e6b01d6251b4c6962e765", - "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", - "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791684612096, - "mapped_size": 0, - "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", - "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", - "subject_name": "Bitdefender SRL" - }, - "cert_timestamp": { - "issuer_name": "Symantec Time Stamping Services CA - G2", - "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", - "subject_name": "Symantec Time Stamping Services Signer - G4", - "timestamp_string": "09/13/2017 23:13" - }, - "more_info_link": "", - "program_name": "", - "publisher_link": "" - }, - "compile_time": 1505278115, - "hashes": { - "imphash": "c2979e6e570392ed85b4e15810f2e90f", - "md5": "3b4c71b64bc20b0c6578a091a031c0fb", - "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", - "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791673536512, - "mapped_size": 0, - "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", - "signature_signer": "Bitdefender SRL", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257999, - "hashes": { - "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", - "md5": "3f9f2afa135f0663946a006dd5ffd897", - "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", - "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791753490432, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPT32.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258373, - "hashes": { - "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", - "md5": "884415bd4269c02eaf8e2613bf85500d", - "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", - "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791752310784, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\MSASN1.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535280, - "hashes": { - "imphash": "af1203c1d6d810c97729856780869b12", - "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", - "sha1": "c53e005cd04d99331ce3114ac119256133202313", - "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791680024576, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINMM.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258927, - "hashes": { - "imphash": "b32250da0d30f7782b5b900d4d9c519a", - "md5": "2a86e54b441ad41557f75dc5609b9793", - "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", - "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791749951488, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\SSPICLI.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290258493, - "hashes": { - "imphash": "466f15f36f10655b30e9347e7dfc2b52", - "md5": "1d5185a4c7e6695431ae4b55c3d7d333", - "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", - "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791743463424, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\mswsock.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535287, - "hashes": { - "imphash": "f967c6b35a5d1b7765016056a842e331", - "md5": "31559f3244c6bc00a52030caa83b6b91", - "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", - "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791737106432, - "mapped_size": 0, - "path": "C:\\Windows\\System32\\wshtcpip.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534998, - "hashes": { - "imphash": "77870f98ca4d25a823c74d7404a64bfd", - "md5": "d0c2fbb6d97416b0166478fc7ae2b212", - "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", - "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791743856640, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTSP.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 17:43" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1247535161, - "hashes": { - "imphash": "b8c20a01e4d94df61ee21f5350389f9c", - "md5": "5d8874a8c11dddde29e12de0e2013493", - "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", - "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791740710912, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\rsaenh.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534993, - "hashes": { - "imphash": "f0c6fd6831905d958b05645b680db89f", - "md5": "784fa3df338e2e8f5f0389d6fac428af", - "sha1": "6d32c67c91c6d374854e907c6719db2538540867", - "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791750541312, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\CRYPTBASE.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290257906, - "hashes": { - "imphash": "ff74e3ff0a015c2023b747f613061e42", - "md5": "a52b6cc24063cc83c78c0e6f24deec01", - "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", - "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791741890560, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\DNSAPI.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534791, - "hashes": { - "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", - "md5": "4cbcc37856ea2039c27a2fb661dda0e5", - "sha1": "cc666108d34168420a1d1942dda1e090154c7296", - "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791717642240, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534790, - "hashes": { - "imphash": "f17020f0f66b64fbdf51c75b43f3729d", - "md5": "f568f7c08458d69e4fcd8675bbb107e4", - "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", - "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791717117952, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247534847, - "hashes": { - "imphash": "dda6776607f283829d85b996f5e46d03", - "md5": "f3d202f53a222d5f6944d459b73cf967", - "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", - "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791668686848, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\FLTLIB.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "07/13/2009 19:17" - }, - "more_info_link": "http://www.microsoft.com/windows", - "program_name": "Windows System Catalog", - "publisher_link": "" - }, - "compile_time": 1247535135, - "hashes": { - "imphash": "ff720e05e534d67b814b8562265058f5", - "md5": "2c942733a5983dd4502219ff37c7ebc7", - "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", - "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791751393280, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\profapi.dll", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - }, - { - "architecture": "x64", - "authenticode": { - "cert_signer": { - "issuer_name": "Microsoft Windows Verification PCA", - "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", - "subject_name": "Microsoft Windows" - }, - "cert_timestamp": { - "issuer_name": "Microsoft Time-Stamp PCA", - "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", - "subject_name": "Microsoft Time-Stamp Service", - "timestamp_string": "11/20/2010 11:37" - }, - "more_info_link": "http://www.microsoft.com", - "program_name": "Microsoft Windows", - "publisher_link": "" - }, - "compile_time": 1290259008, - "hashes": { - "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", - "md5": "eb3f9c2de1236b5d46b2291d82970e43", - "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", - "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" - }, - "malware_classification": { - "identifier": "Whitelisted", - "score": 0, - "threshold": 0, - "version": "3.0.0" - }, - "mapped_address": 8791753228288, - "mapped_size": 0, - "path": "C:\\Windows\\system32\\WINTRUST.DLL", - "signature_signer": "Microsoft Windows", - "signature_status": "trusted" - } - ], - "name": "AmSvc.exe", - "parent_exe": "C:\\Windows\\System32\\services.exe", - "parent_name": "services.exe", - "pid": 1084, - "ppid": 436, - "primary_token": { - "domain": "NT AUTHORITY", - "integrity_level": 16384, - "integrity_level_name": "system", - "privileges": [ - { - "description": "Replace a process level token", - "enabled": false, - "name": "SeAssignPrimaryTokenPrivilege" - }, - { - "description": "Lock pages in memory", - "enabled": true, - "name": "SeLockMemoryPrivilege" - }, - { - "description": "Adjust memory quotas for a process", - "enabled": false, - "name": "SeIncreaseQuotaPrivilege" - }, - { - "description": "Act as part of the operating system", - "enabled": true, - "name": "SeTcbPrivilege" - }, - { - "description": "Manage auditing and security log", - "enabled": false, - "name": "SeSecurityPrivilege" - }, - { - "description": "Take ownership of files or other objects", - "enabled": false, - "name": "SeTakeOwnershipPrivilege" - }, - { - "description": "Load and unload device drivers", - "enabled": true, - "name": "SeLoadDriverPrivilege" - }, - { - "description": "Profile system performance", - "enabled": true, - "name": "SeSystemProfilePrivilege" - }, - { - "description": "Change the system time", - "enabled": false, - "name": "SeSystemtimePrivilege" - }, - { - "description": "Profile single process", - "enabled": true, - "name": "SeProfileSingleProcessPrivilege" - }, - { - "description": "Increase scheduling priority", - "enabled": true, - "name": "SeIncreaseBasePriorityPrivilege" - }, - { - "description": "Create a pagefile", - "enabled": true, - "name": "SeCreatePagefilePrivilege" - }, - { - "description": "Create permanent shared objects", - "enabled": true, - "name": "SeCreatePermanentPrivilege" - }, - { - "description": "Back up files and directories", - "enabled": true, - "name": "SeBackupPrivilege" - }, - { - "description": "Restore files and directories", - "enabled": true, - "name": "SeRestorePrivilege" - }, - { - "description": "Shut down the system", - "enabled": false, - "name": "SeShutdownPrivilege" - }, - { - "description": "Debug programs", - "enabled": true, - "name": "SeDebugPrivilege" - }, - { - "description": "Generate security audits", - "enabled": true, - "name": "SeAuditPrivilege" - }, - { - "description": "Modify firmware environment values", - "enabled": false, - "name": "SeSystemEnvironmentPrivilege" - }, - { - "description": "Bypass traverse checking", - "enabled": true, - "name": "SeChangeNotifyPrivilege" - }, - { - "description": "Remove computer from docking station", - "enabled": false, - "name": "SeUndockPrivilege" - }, - { - "description": "Perform volume maintenance tasks", - "enabled": false, - "name": "SeManageVolumePrivilege" - }, - { - "description": "Impersonate a client after authentication", - "enabled": true, - "name": "SeImpersonatePrivilege" - }, - { - "description": "Create global objects", - "enabled": true, - "name": "SeCreateGlobalPrivilege" - }, - { - "description": "Increase a process working set", - "enabled": true, - "name": "SeIncreaseWorkingSetPrivilege" - }, - { - "description": "Change the time zone", - "enabled": true, - "name": "SeTimeZonePrivilege" - }, - { - "description": "Create symbolic links", - "enabled": true, - "name": "SeCreateSymbolicLinkPrivilege" - } - ], - "sid": "S-1-5-18", - "type": "tokenPrimary", - "user": "SYSTEM" - }, - "services": [ - { - "name": "CybereasonAntiMalware" - } - ], - "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", - "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", - "sid": "S-1-5-18", - "signature_signer": "Cybereason Inc", - "signature_status": "trusted", - "threads": [ - { - "create_time": 1542345900, - "entrypoint": 5354476452, - "thread_id": 1088, - "up_time": 601 - }, - { - "create_time": 1542345900, - "entrypoint": 2001252032, - "thread_id": 1116, - "up_time": 600 - }, - { - "create_time": 1542345900, - "entrypoint": 8791691510992, - "thread_id": 1204, - "up_time": 598 - }, - { - "create_time": 1542345900, - "entrypoint": 8791691468912, - "thread_id": 1220, - "up_time": 598 - }, - { - "create_time": 1542345900, - "entrypoint": 8791673571008, - "thread_id": 1392, - "up_time": 586 - }, - { - "create_time": 1542345900, - "entrypoint": 8791673571008, - "thread_id": 1396, - "up_time": 586 - }, - { - "create_time": 1542345900, - "entrypoint": 8791673574320, - "thread_id": 1400, - "up_time": 586 - }, - { - "create_time": 1542345900, - "entrypoint": 8791673638416, - "thread_id": 1404, - "up_time": 586 - }, - { - "create_time": 1542345900, - "entrypoint": 2001271744, - "thread_id": 1520, - "up_time": 584 - }, - { - "create_time": 1542345900, - "entrypoint": 8791699247140, - "thread_id": 1888, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133536, - "thread_id": 1904, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133536, - "thread_id": 1908, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133536, - "thread_id": 1912, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133536, - "thread_id": 1916, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133872, - "thread_id": 1920, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694132592, - "thread_id": 1924, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694133216, - "thread_id": 1928, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 8791694134640, - "thread_id": 1932, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 5354393504, - "thread_id": 1936, - "up_time": 547 - }, - { - "create_time": 1542345900, - "entrypoint": 5354393504, - "thread_id": 1944, - "up_time": 547 - }, - { - "create_time": 1542346000, - "entrypoint": 2001271744, - "thread_id": 2372, - "up_time": 509 - }, - { - "create_time": 1542346400, - "entrypoint": 8791743523392, - "thread_id": 4036, - "up_time": 43 - }, - { - "create_time": 1542346400, - "entrypoint": 8791673712896, - "thread_id": 4040, - "up_time": 43 - }, - { - "create_time": 1542346400, - "entrypoint": 2002168128, - "thread_id": 3372, - "up_time": 28 - } - ], - "unique_pid": 21, - "unique_ppid": 8, - "up_time": 601, - "user": "SYSTEM" - }, - "acting_thread": { - "create_time": 1542345900, - "service_name": "CybereasonAntiMalware", - "thread_id": 1912, - "thread_start_address": 8791694133536, - "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" - } - }, - "captured_file": false, - "file_name": "C:\\Windows\\TEMP\\tmp0000045c\\tmp00001b4a", - "file_operation": "creation", - "file_owner": "Administrators", - "file_size": 188416, - "hashes": { - "imphash": "835d619dfdf3cc727cebd91300ab3462", - "md5": "4ace3baaa509d08510405e1b169e325b", - "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", - "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" - }, - "is_signature_trusted": false, - "malware_classification": { - "compressed_malware_features": { - "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", - "decompressed_size": 27831, - "encoding": "zlib" - }, - "identifier": "endpointpe", - "prevention_threshold": 0.66, - "score": 1, - "threshold": 0.66, - "version": "3.0.33" - }, - "pid": 1084, - "ppid": 436, - "signature_signer": "", - "temp_file_path": "C:\\Windows\\TEMP\\37c97b4b-6ee8-476c-bfdd-c0cd6783b86d", - "timestamp": { - "accessed": 1542346400, - "created": 1542346400, - "modified": 1542346500 - }, - "user_blacklisted": false - }, - "event_subtype_full": "file_classification_event", - "event_type_full": "alert_event", - "metadata": { - "beta_alert": false, - "chunk_id": 0, - "collection_time": 1542346500, - "correlation_id": "2c827da1-f977-42a7-994b-ab7e5cc50329", - "destination_plugin": "send", - "final": true, - "is_alert": true, - "key": "fileClassificationEventResponse", - "message_id": "2280efbc-8bdf-49bf-a712-bc44acdf3eaa", - "origination_task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", - "os_type": "windows", - "priority": 80, - "result": { - "local_code": 0, - "local_msg": "Success" - }, - "semantic_version": "3.50.0", - "sensor_version": "3.50.0", - "task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", - "type": "detection" - }, - "opcode": 8, - "serial_event_id": 144711, - "timestamp": 132140207402716480, - "timestamp_utc": "2019-09-27 01:19:00Z" - }, - "event": { - "action": "file_classification_event", - "dataset": "esensor", - "kind": "alert", - "module": "endgame" - }, - "host": { - "hostname": "HD-m3z-4c803698", - "ip": "10.176.220.187", - "name": "HD-m3z-4c803698", - "os": { - "name": "Windows", - "platform": "windows", - "version": "10.0" - } - }, - "labels": { - "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", - "endpoint_id": "c89dc040-2350-4d59-baea-9ff2e369136f" - }, - "user": { - "group": { - } - } - }, - "type": "_doc" - } - } - ] \ No newline at end of file diff --git a/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.test.ts b/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.test.ts new file mode 100644 index 00000000000000..a4d7de8fdcfdb1 --- /dev/null +++ b/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.test.ts @@ -0,0 +1,74 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { httpServerMock, loggingServiceMock } from 'src/core/server/mocks'; +import { EndpointConfigSchema } from '../../config'; +import { getPagingProperties, buildAlertListESQuery } from './alert_query_builders'; + +describe('test query builder', () => { + describe('test query builder request processing', () => { + it('should execute the correct Elasticsearch query for a default request', async () => { + const mockRequest = httpServerMock.createKibanaRequest({}); + const mockCtx = { + logFactory: loggingServiceMock.create(), + config: () => Promise.resolve(EndpointConfigSchema.validate({})), + }; + const queryParams = await getPagingProperties(mockRequest, mockCtx); + const query = await buildAlertListESQuery(queryParams); + + expect(query).toEqual({ + body: { + query: { + match_all: {}, + }, + sort: [ + { + '@timestamp': { + order: 'desc', + }, + }, + ], + track_total_hits: 10000, + }, + from: 0, + size: 10, + index: 'my-index', + } as Record); + }); + it('should adjust track_total_hits for deep pagination', async () => { + const mockRequest = httpServerMock.createKibanaRequest({ + query: { + page_index: 10, + page_size: 1000, + }, + }); + const mockCtx = { + logFactory: loggingServiceMock.create(), + config: () => Promise.resolve(EndpointConfigSchema.validate({})), + }; + const queryParams = await getPagingProperties(mockRequest, mockCtx); + const query = await buildAlertListESQuery(queryParams); + + expect(query).toEqual({ + body: { + query: { + match_all: {}, + }, + sort: [ + { + '@timestamp': { + order: 'desc', + }, + }, + ], + track_total_hits: 12000, + }, + from: 10000, + size: 1000, + index: 'my-index', + } as Record); + }); + }); +}); diff --git a/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.ts b/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.ts new file mode 100644 index 00000000000000..a20f2ae1cdecd5 --- /dev/null +++ b/x-pack/plugins/endpoint/server/services/endpoint/alert_query_builders.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import { KibanaRequest } from 'kibana/server'; +import { EndpointAppConstants } from '../../../common/types'; +import { EndpointAppContext, AlertRequestParams, JSONish } from '../../types'; + +export const buildAlertListESQuery = async ( + pagingProperties: Record +): Promise => { + const DEFAULT_TOTAL_HITS = 10000; + + // Calculate minimum total hits set to indicate there's a next page + const totalHitsMin = Math.max( + pagingProperties.fromIndex + pagingProperties.pageSize * 2, + DEFAULT_TOTAL_HITS + ); + + return { + body: { + track_total_hits: totalHitsMin, + query: { + match_all: {}, + }, + sort: [ + { + '@timestamp': { + order: 'desc', + }, + }, + ], + }, + from: pagingProperties.fromIndex, + size: pagingProperties.pageSize, + index: EndpointAppConstants.ALERT_INDEX_NAME, + }; +}; + +export const getPagingProperties = async ( + request: KibanaRequest, + endpointAppContext: EndpointAppContext +): Promise> => { + const config = await endpointAppContext.config(); + const pagingProperties: { page_size?: number; page_index?: number } = {}; + + if (request?.route?.method === 'get') { + pagingProperties.page_index = request.query?.page_index; + pagingProperties.page_size = request.query?.page_size; + } else { + pagingProperties.page_index = request.body?.page_index; + pagingProperties.page_size = request.body?.page_size; + } + + const pageSize = pagingProperties.page_size || config.alertResultListDefaultPageSize; + const pageIndex = pagingProperties.page_index || config.alertResultListDefaultFirstPageIndex; + const fromIndex = pageIndex * pageSize; + + return { pageSize, pageIndex, fromIndex }; +}; diff --git a/x-pack/plugins/endpoint/server/test_data/all_alerts_data.json b/x-pack/plugins/endpoint/server/test_data/all_alerts_data.json new file mode 100644 index 00000000000000..128592f0f01dfd --- /dev/null +++ b/x-pack/plugins/endpoint/server/test_data/all_alerts_data.json @@ -0,0 +1,5471 @@ +{ + "_shards": { + "failed": 0, + "skipped": 0, + "successful": 1, + "total": 1 + }, + "hits": { + "hits": [ + { + "_id": "mguP_G8BsHRXKE0Yiz15", + "_index": "my-index", + "_score": 1.0, + "_source": { + "@timestamp": 1542341895000, + "agent": { + "id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f", + "type": "endpoint", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "event": { + "action": "open", + "category": "malware", + "dataset": "endpoint", + "kind": "alert", + "module": "endpoint", + "type": "access" + }, + "file": { + "accessed": 1542341100, + "created": 1542341100, + "hash": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "mtime": 1542341100, + "owner": "Administrators", + "path": "C:\\Users\\Administrator\\Downloads\\endpointpe-blacklist-test.exe", + "size": 188416 + }, + "file_classification": { + "captured_file": false, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\581ac9e2-e9ea-499e-8ec6-d7eed985b6c3", + "user_blacklisted": false + }, + "host": { + "hostname": "HD-c15-bc09190a", + "ip": "10.179.244.14", + "name": "HD-c15-bc09190a", + "os": { + "name": "Windows", + "platform": "windows", + "version": "6.1" + } + }, + "process": { + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "command_line": "C:\\Windows\\Explorer.EXE", + "domain": "WIN-Q3DOP1UKA81", + "executable": "C:\\Windows\\explorer.exe", + "file_hash": { + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "hash": { + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "is_endpoint": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290248516, + "hash": { + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 4278845440, + "mapped_size": 0, + "path": "C:\\Windows\\Explorer.EXE", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hash": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2007891968, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hash": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2006712320, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hash": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760175104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hash": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763779584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hash": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791790780416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hash": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793074176, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hash": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791762403328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hash": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792615424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hash": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2005663744, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hash": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763714048, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hash": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791782522880, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hash": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792091136, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hash": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791765811200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHELL32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hash": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791783374848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hash": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791785537536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258088, + "hash": { + "imphash": "ec96d3f694248151f968633563d10a36", + "md5": "eed05d42d91835064703e2318552ed25", + "sha1": "aa7e817ccad26070bce1161894f97e10aaa56fb9", + "sha256": "e9ee1e2253445b207b76f5d3073c612ed979a982522c1515e0fe8fa9641ae568" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791634935808, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EXPLORERFRAME.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534886, + "hash": { + "imphash": "c0e1a4a34891e5dd2a6cbaa0895a8d38", + "md5": "8ccde014a4cdf84564e03ace064ca753", + "sha1": "957e29e029fe60b8ff43ff732463c39230b78226", + "sha256": "dd663029b2eb7b12fdb00fce403d8326141e540e3b9ce84cd5871473d3e2e2cf" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735599104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534885, + "hash": { + "imphash": "9353143c2b77b94cc82ab55c5fecf99c", + "md5": "3cb6a7286422c72c34dab54a5dff1a34", + "sha1": "5b93896a6abb36c2b8957973e3ce1860c1059367", + "sha256": "98d21efff511e407336a226420701e82554da01fa05661303836b6860d63749d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791721181184, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUI70.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hash": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793205248, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hash": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791764697088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535251, + "hash": { + "imphash": "56e651a119cdb899aadd2df3832bbcd1", + "md5": "d29e998e8277666982b4f0303bf4e7af", + "sha1": "e803b0af61ea2ddcd58b5a63b1cfbb73266318ea", + "sha256": "4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742480384, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\UxTheme.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535202, + "hash": { + "imphash": "1c419f7cfacebfcd8e903e6be290407e", + "md5": "716175021bda290504ce434273f666bc", + "sha1": "4f00fbf4e9a88fae9e6682989032831b3d2eba86", + "sha256": "fa18ca2d8a5f4335e051e2933147d3c1e7308f7d446e2aeb6596cdef6e2afc88" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718690816, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\POWRPROF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258850, + "hash": { + "imphash": "a7a25e8b145e75fdeb21026d3895033a", + "md5": "5d8e6c95156ed1f79a63d1eade6f9ed5", + "sha1": "cadd211d74385550c5e055d3312303f4d64fdebc", + "sha256": "12130837d7f89a2c7e9d25747a8e5b9001e0a38d545178b49b450c23ae62664a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788814336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SETUPAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hash": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760633856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534817, + "hash": { + "imphash": "2dbdaadf7e151289a49662379e253dfd", + "md5": "06fec9e8117103bb1141a560e98077da", + "sha1": "a8922793a930d602409b62be5ff01d5baec60000", + "sha256": "c5e61b11ddbbbbba3d9488970524f0975ea5fbdf16e2fa31f579f8bfa48353b1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760044032, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVOBJ.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534887, + "hash": { + "imphash": "e7f2585307f1db90e7e5e48c40dc7134", + "md5": "da1b7075260f3872585bfcdd668c648b", + "sha1": "f2bd334006d728422721b7c639145a6ec59a459b", + "sha256": "3e10ef6e1a5c341b478322cb78a0ab7bfc70ad8023779b8b4542a7cb4ca756ab" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742873600, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dwmapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535203, + "hash": { + "imphash": "6a5a31c99a1562b9e5e10f4b4445be95", + "md5": "be097f5bb10f9079fceb2dc4e7e20f02", + "sha1": "dd572bac50bc4718126389c628d56a83d5c4d88a", + "sha256": "90a88986c8c5f30fb153ec803feda6572b2c2630a6c9578fcc017800692694d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732256768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\slc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hash": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732453376, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hash": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791754801152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hash": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756701696, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258762, + "hash": { + "imphash": "26c2856b9813d8990c01c5a711b5063a", + "md5": "f06bb4e336ea57511fdbafafcc47de62", + "sha1": "bfee1b9d2269d26d99c8e462825ee8399c8bd4ec", + "sha256": "be43ec62548e9ff89a9495a1722e22dbb76eec3764f86e64057b636f27d15765" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728259072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PROPSYS.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hash": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757291520, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257499, + "hash": { + "imphash": "cd11f800bc54ae45ead9d98c96048145", + "md5": "7fa8fdc2c2a27817fd0f624e78d3b50c", + "sha1": "b4aa8e16396b1882eb75c28dfbec9949608afdde", + "sha256": "7b63f6aa2cd6d4d07ea3c595b868b1a0749bb11620027a2bd9b935e3055481e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791736123392, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258974, + "hash": { + "imphash": "b03f7d8315f3384d06c11e961e6fee07", + "md5": "26b73a85855681500bcc25c7cd9ff5b1", + "sha1": "393ed9ebbe380c77935df6d0eda2047cdd2224fe", + "sha256": "94d134a6af53ad629a4505b8b0ea37f61bb43af4db71874e7e87853163a9282a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791724851200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WindowsCodecs.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hash": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758143488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257558, + "hash": { + "imphash": "6af6d846a78a6532fcb989d0d8aeb17d", + "md5": "90499f3163a9f815cf196a205ea3cd5d", + "sha1": "f97ff54dc4b132756fcf7041e55d645163f19851", + "sha256": "29b4ed3795cec1177eb367132914ce21c194cdec5db9dc923fd928c85e94d821" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756898304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\apphelp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534778, + "hash": { + "imphash": "37afbae3e0f359c3718e379261f7ccfc", + "md5": "25983de69b57142039ac8d95e71cd9c9", + "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", + "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791787700224, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CLBCatQ.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534842, + "hash": { + "imphash": "cbda3eb1c9c46a2121362e9775f60b47", + "md5": "024352feec9042260bb4cfb4d79a206b", + "sha1": "79c23ce566219f87ade8e55a292aaaabe4a639ec", + "sha256": "60cb39086e10c5b66ebc15e4df219620b344b4358d2918ab6bb3448a0ac8be36" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731994624, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EhStorShell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258701, + "hash": { + "imphash": "37dad3873d5388f07576532bc042f677", + "md5": "7bbf670114373ce6a203fa155a9e0d0a", + "sha1": "104d89dde030b661d05c4c63a03fae1f46ab52d2", + "sha256": "36ef0a36c679e53b1b169289bd3c05d7c2839dc20c8c87bf520b633911fde198" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791647518720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntshrui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hash": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753228288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258010, + "hash": { + "imphash": "2ba777561101c3b07566cc50db3a564c", + "md5": "1bf0cb861a48feb1638228760750f3cb", + "sha1": "fbc77224c1b444a6ec25e99f995f2f355e4d1d26", + "sha256": "37c781a8c546ead8b4d28bd7d730b9ac78eb799599ad69dad9054b6f9f1dd6bd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791649091584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\cscapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534897, + "hash": { + "imphash": "5bf52e420b6d5991bdcce16ada0828dc", + "md5": "1d63f4366288b8a7595397e27010fd44", + "sha1": "e459e1227083e4eabd19ee20e13754560fc7e02d", + "sha256": "99ea4ddd88d9c4a4cc9b238f533cb4d2c062d46239173997e8594d8a75811a01" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735533568, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IconCodecService.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hash": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750606848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hash": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791747461120, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258799, + "hash": { + "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", + "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", + "sha1": "4417207821fc8f5c72ff531683f183caef297882", + "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758012416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RpcRtRemote.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258895, + "hash": { + "imphash": "4fe9beaa9bd4aa01f5063a7352325c89", + "md5": "d7f1ef374a90709b31591823b002f918", + "sha1": "336ac44b8ee88a6af3f3eaf461b8bdf94fa657ff", + "sha256": "05fd2837c9b03d14bb2a969c1ad77caef047d93dc5d0f6c2acbf0888e8f7b359" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730683904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SndVolSSO.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534873, + "hash": { + "imphash": "0a90384377303e2a2625725018566a89", + "md5": "896f15a6434d93edb42519d5e18e6b50", + "sha1": "b91a3512a80c4201c3fcfaf62abace894fbba328", + "sha256": "9263f0cec58d45ebe3fb9c3061fb9392c55a7933b84b4592e6ee13cfc86d5a50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731929088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\HID.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534952, + "hash": { + "imphash": "98a24f570dbcd3a092d95b3bd4e51a53", + "md5": "227e2c382a1e02f8d4965e664d3bbe43", + "sha1": "c4971ba9c1e4fdf0106c7cfab626a3d8737bbd07", + "sha256": "1cff20a8bf87ace4fa4935ebeed72bfb1a1fe902a754899e2f50798d67df5642" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729504256, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\MMDevApi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258898, + "hash": { + "imphash": "e99757a4c1beee1b5bf8b7b33b444dcc", + "md5": "1fcb1a72bf5c784f7358e6bef38e4571", + "sha1": "ef944a320de79bf05f0e30f54f3f8b2ba2e82c4a", + "sha256": "12da4240f8c964eda6223257bd9723fd9372e63ae86f00509163b1de12a5f6c5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791637426176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\timedate.cpl", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534704, + "hash": { + "imphash": "d6de6fde05f96ac848accdb1aef473e4", + "md5": "58775492ffd419248b08325e583c527f", + "sha1": "b0e9ca05d46cb53049c4ca33fe04bd08989a78f9", + "sha256": "dbb013971f5894f25c222c2d4d50a29db6df3c413792ee9ccc1a9e6d85469093" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732322304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ATL.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535266, + "hash": { + "imphash": "fa1e670045065ff088a4ac664f9ac3d7", + "md5": "9f2bacd5e1776a4bb7cc0ec3c3a4f96d", + "sha1": "ad8c7ec85d532e5725b8535830f27c1abcf139b4", + "sha256": "19959d18601712901f03b83150d15e34ebcab355bb4692c9a28511a72f57fc66" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730618368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINBRAND.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257498, + "hash": { + "imphash": "53f2c3eaeaa6e619e0ccd6e671e96145", + "md5": "e6f0f82788e8bd0f7a616350efa0761c", + "sha1": "9aa4aafda89325853ffa66169e697529164a23a2", + "sha256": "13091dcb3e3f4f52c3ff210e93aaf1dce142cfc09f671aeac5b922393b23e67b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633952768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\actxprxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535165, + "hash": { + "imphash": "ae5e5f76641aadaf99f0ca29d2e1cadd", + "md5": "1f4492fe41767cdb8b89d17655847cdd", + "sha1": "c836a5e65d56900b6658fdaa3df8579bdd07ec69", + "sha256": "184547fac0c3d7148faa3f601929a7089de393bd19929a137dad743331dd3f77" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791719739392, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntmarta.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259030, + "hash": { + "imphash": "f792b6ec2e11bc79d8eb1bb1bcb79a91", + "md5": "4e4ffb09d895aa000dd56d1404f69a7e", + "sha1": "40f5c1890f6de5284f6c897255e6907b0272349a", + "sha256": "d999e04bb35780088480eab322176570591a21e311d204bdcab010a63b34d24c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791794974720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WLDAP32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258853, + "hash": { + "imphash": "2507624727988c72eb2a628a990000fd", + "md5": "c4f40f6cacd796a8e16671d0e9a2f319", + "sha1": "0881ae2a2fd3c5f03654410c474e5a25317942b2", + "sha256": "44853c645915d910ed0cc6d38f68b6c222528ec5fcbe990e238010f41204e682" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729897472, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shdocvw.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534923, + "hash": { + "imphash": "e52a872655c57d1b906101b6d5449bbf", + "md5": "a0a65d306a5490d2eb8e7de66898ecfd", + "sha1": "880ac520eb1d38ebb591707a26e6dd300df40643", + "sha256": "ce5da408f4edd5e81ce0925867f03c9a35172cf1571fe4c4c052e45ab69822bb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729831936, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LINKINFO.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258932, + "hash": { + "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", + "md5": "7a17485dc7d8a7ac81321a42cd034519", + "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", + "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745036288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USERENV.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258852, + "hash": { + "imphash": "8b5c65294bec1cf89e97325a24b8cfc5", + "md5": "4e9c2db10f7e6ae91bf761139d4b745b", + "sha1": "6e8e6a53269ca8acc8c2456c80cd3a56d8deb98d", + "sha256": "8f63f78294f5585d599a114af449dcc447ccb239d0f0b490bfe6b34a2146e730" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704207360, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shacct.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535152, + "hash": { + "imphash": "44b39e98ae2946f304f4dbadcfffa307", + "md5": "5b3ebfc3da142324b388ddcc4465e1ff", + "sha1": "86e20ebf70fd35723eb635c4f3684891a2547a7b", + "sha256": "5d58642305311f9bc9b779c9598bfc4e7433b3ea58404bf1ff9466838a2328c7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716069376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SAMLIB.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258793, + "hash": { + "imphash": "7fec5787890bfedd3b3aa4082f53a08e", + "md5": "fc51229c7d4afa0d6f186133728b95ab", + "sha1": "f7a2f224356e68b612ecce4512c99f5b9c264d7d", + "sha256": "37e58c8e1c8437d1981725a5dcdaca7316cefbb570370cefc8d122f523b96ac0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791714168832, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\samcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hash": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722426368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535084, + "hash": { + "imphash": "14bd8d9a93b98b2479e1f6cd57b7c790", + "md5": "7cb3acb163de051169095dc6507b8977", + "sha1": "b891ebebb25655157f7c612d5763e995c86009a2", + "sha256": "45d4deb0695440d8b5e959945b3f7a773e02e2ab305e316123a1064fc1905402" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791703945216, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msls31.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257535, + "hash": { + "imphash": "bf738a2fc0ab0601eea36f35e4cbcd27", + "md5": "0bee002c68e28ce6da161dcf1376d7d7", + "sha1": "d5cc3bec12c801e11217acc6927e1e6e401fe208", + "sha256": "1d4ee0b9ce22d139478008d5591b8c9f027c235cba601f95a96547cf98159d4b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791631134720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\authui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258007, + "hash": { + "imphash": "76801e47683b36a4115dbe046717edbe", + "md5": "b3bfbd758506ecb50c5804aaa76318f9", + "sha1": "bf6c922467347a6690eb19c5e82be09b3295778b", + "sha256": "34e079a6ab2d41d1e0b3887b6ae31c43941061b7176fff2801c3f465c2c89578" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791630020608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTUI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hash": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760896000, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hash": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759060992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258922, + "hash": { + "imphash": "75124ca243f494ff6127697f3ebc418a", + "md5": "5fada8b707318e1bd63a7e2b81e6c8cb", + "sha1": "c5ad1c9bbc2f565237a144b9cf44711dfcf65ea5", + "sha256": "2590e88cab52fcc1b24cb262d293131c6280a5f234e0c130e77aa8697efa3b5f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793401856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\urlmon.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258980, + "hash": { + "imphash": "248b27a31ddf696c2e3bfe6aed9c3eba", + "md5": "f6c5302e1f4813d552f41a0ac82455e5", + "sha1": "f0ec3ad7e90f559d1bc9b8849cf5668cafba2031", + "sha256": "e3ebf44621efc6381baae0f0efc13c356dcb6ee31bb258137edb3cc3e18549b5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791786455040, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WININET.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258097, + "hash": { + "imphash": "f6db6123d8a383f58cf318d00d2e7d1d", + "md5": "5180380d353277d395d3b36d790aa93e", + "sha1": "d5622ec5d922233867422d1e143969e226bb9a1c", + "sha256": "89b894eccf65704d00d30ea3bd45b184bfab8345b779f9ae2be66b9fc7226f72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780032512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\iertutil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hash": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743004672, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259004, + "hash": { + "imphash": "da0bcac0c5f9dc653d00eecd5fb1c801", + "md5": "0d9764d58c5efd672b7184854b152e5e", + "sha1": "99d78db040987c69b6a70a42af86641ba0413956", + "sha256": "9827b43dabbec39ab2e2294408d9c5304ef27a684903c5234c6070387723d49e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758209024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSTA.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hash": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683301376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258936, + "hash": { + "imphash": "7e9874f9ecf2191b91f9a4dfa37f2ba1", + "md5": "1473768973453de50dc738c2955fc4dd", + "sha1": "7b046f6070844e3bc7deae115a1dfe5825030513", + "sha256": "14bc5da2442cb726acc1f277ddbeccf5d61e3a0a3e083a55a0bb610191e35220" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648239616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wdmaud.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535081, + "hash": { + "imphash": "086996ef0b01a463f114deb5244861b9", + "md5": "8560fffc8eb3a806dcd4f82252cfc8c6", + "sha1": "7562bbb63b0db6e4986ebdb86495c4fe284a1eaa", + "sha256": "cc27bc092369a89d6147b16568fedeb68b584d5738cd686c31f7fae22ed17b3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1968373760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ksuser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534742, + "hash": { + "imphash": "690cce63d22e22d9aa225c4a9290b2c4", + "md5": "78a1e65207484b7f8d3217507745f47c", + "sha1": "3542a591e9c97b48739f69e2a193dff461ea097c", + "sha256": "35f413adb9d157f3666dd15dd58104d629cd9143198a1ab914b73a4a3c9903dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718625280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AVRT.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257517, + "hash": { + "imphash": "64661addcde8896487dcc7cd32a4eda9", + "md5": "dc220ae6f64819099f7ebd6f137e32e7", + "sha1": "5707f15b666c7d3b07dfce9dac665a2e45c39113", + "sha256": "b8fe13b859fa83500dd95637fa6d4a5b8392c2a363e41d014d3b5374f636e1de" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791659118592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AUDIOSES.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534992, + "hash": { + "imphash": "3bf8d3fd03f9d07b7821df4b1da2be9d", + "md5": "1b7c3a37362c7b2890168c5fc61c8d9b", + "sha1": "78ba8d596c0ac4c38acb498416957891570a2a1d", + "sha256": "03727930e5bb5f9d91bab901fc9a2e3b795d68e2aee6a2cc3477f356c45a9c54" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728062464, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msacm32.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534991, + "hash": { + "imphash": "9611d7fd4fe3c571fbf1db3d718ba82c", + "md5": "10ac5ce9f78dc281a1bbd9b8cc587b8a", + "sha1": "207582f9d9bec00a932fba886d575ee5b6502d42", + "sha256": "72288c0a88916d3c3828dbd948dbdb0928f26106319f8e60102d6c9004514d60" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716659200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSACM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hash": { + "imphash": "5a8ee2f48e79ef6ac4b33366d6642b50", + "md5": "ca2a0750ed830678997695ff61b04c30", + "sha1": "a27df990dde73e72bb02105f8af689a1ac324e59", + "sha256": "e84860cd97aa3c4565abb2d5d406a5c42b1ad2d8ba1b8cf81fe564d91f15f976" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727996928, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\midimap.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535256, + "hash": { + "imphash": "04a5e982c134477b1914ebcd7b6436d0", + "md5": "d6f630c1fd7f436316093ae500363b19", + "sha1": "197897b74f411040ba7df41a5bd3c1030661b904", + "sha256": "73a94b4938430396ea4240b1a6676b4e6c19cfaf8c52efb9a69b4b2175a86307" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727734784, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\XmlLite.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258889, + "hash": { + "imphash": "8181b1ef70ff3d29984db497f92a2662", + "md5": "c3761661c17c2248a9379a8fb89e3de1", + "sha1": "d2ea41e02bbaa77f8b93b09277596a34cdae8853", + "sha256": "ce3477fa2b4058eb80739e0161fe957545f13cf86d313f6422732901d35f75f2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791617568768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\stobject.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257641, + "hash": { + "imphash": "fbe995ff97475c5aa2777a4bc493d4b1", + "md5": "f832eeea97cdda1af577e721f652a0d1", + "sha1": "48f227a1e10d49edf56e3559e05c871bc285c199", + "sha256": "ebbb7ca199ba4df231123922bd310d43de0104c6185b70fe0281b938d5336f2e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791616782336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\BatMeter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535260, + "hash": { + "imphash": "5d8fff13bf206e589cae241fc7f4d464", + "md5": "bd3674be7fc9d8d3732c83e8499576ed", + "sha1": "cb96190d6366e11dd6e6b48f4cdc4332015cfa67", + "sha256": "e6716a5895d629263a4d21959f48840429ab6f4b55a5fa2663ee5e86c9ca2bf1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727538176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WTSAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hash": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759781888, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534970, + "hash": { + "imphash": "8accd78cb7feca81ac448f0485be30dc", + "md5": "4166f82be4d24938977dd1746be9b8a0", + "sha1": "5174036d781677f5444d9a23079baf18f4bbda44", + "sha256": "24121751b7306225ad1c808442d7b030def377e9316aa0a3c5c7460e87317881" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730159616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\es.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257970, + "hash": { + "imphash": "8c20d7b93902b8c193a7fc1b4b58e9aa", + "md5": "42a9cb6906d9a8bedc83b57163e62924", + "sha1": "50e5592460d91205e912d55f60a2dd3cc4da4329", + "sha256": "e18522d3137653140757829efbfce624a5baa5842e2bba10b9e5ab6c84be49e1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614619648, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dxp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258826, + "hash": { + "imphash": "1df61af51096e9bbbdc1834405984e4c", + "md5": "2d2a6ec8ead30ec3ace2fd6fb1b3e122", + "sha1": "1e77948378474e155307d290b998994f720206bf", + "sha256": "e7ea375a3bde8fc764cb09524344370b9ee25f98ad6c83e6f37a569eb8d277d6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614160896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\prnfldr.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259000, + "hash": { + "imphash": "2f59265cb3df847423b60921203365be", + "md5": "0015acfbbdd164a8a730009908868ca7", + "sha1": "671c084513461900550bd49d3dccb58bdbe05adf", + "sha256": "e1ff243ad2cf959fab81efe701592414991c03416ff296adc93906e76b707c4d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791654924288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSPOOL.DRV", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535225, + "hash": { + "imphash": "3d49b728c9125f451e7f2f215e9d3bbb", + "md5": "2bc7c9fd0a9f2c9afc373f3ad1ee3891", + "sha1": "1b7c6960a72509d1f408022d791c6a65acb2a75d", + "sha256": "0a82a475301202791a7c10f978f952eab7db146a702d4ea67e24e2c98bc19638" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648108544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Syncreg.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258789, + "hash": { + "imphash": "c5c69e7d20ca382ddbc49947d651a8e7", + "md5": "10f815be90a66aafc6c713d1bd626064", + "sha1": "3e21f173a6bcdf629c442d89abadc48137c61bb2", + "sha256": "01139fc04bc53594296f6a0e16b8d20b940f64bc8119fe7705c03c4947958f39" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612325888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\pnidui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258791, + "hash": { + "imphash": "6437e4761b1278fdecf142a679216f7b", + "md5": "b9f0a4020aa98b7a20287bf7fe99a1fd", + "sha1": "1f28ac7493ce972b45de191780a190504d1d0c44", + "sha256": "21138f161eeea46198890c7a2d073f2c82829e15676131bdad9f237edc7477cd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612194816, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QUtil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535239, + "hash": { + "imphash": "deeb658dae29d8df1c8dbb08f06801b0", + "md5": "3c073b0c596a0af84933e7406766b040", + "sha1": "06185554c38353211430f5f075c490558e46fb3d", + "sha256": "4698bba678f553e15ad4b07ad7fb236281f872defee97bfd637114476c8f97b3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752769536, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wevtapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258586, + "hash": { + "imphash": "97bb6eee9e1ea3e5751077b655b54de5", + "md5": "a42f2c1eb3b66c54fb3c7b79d30c1a6d", + "sha1": "cee705de8d3dfcc9e2a14e0249d6be61fcd54a18", + "sha256": "a63836db3b01835dc1311526a95198d6ebccb1dc9ddafbc38ec36c128cdb98b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791609507840, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\netshell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hash": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727210496, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hash": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763648512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hash": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791726948352, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258583, + "hash": { + "imphash": "7e01da4b2a8806d2944a3ff2e271958f", + "md5": "2df36f15b2bc1571a6a542a3c2107920", + "sha1": "660a44b660d8e57ef7d7efbbc006ac390a7901fa", + "sha256": "a918f1ee95269df973421af2f5713deeaf15ef0f77baa7e8c515ffb69896fb7a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735992320, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\nlaapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hash": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723999232, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hash": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788486656, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257492, + "hash": { + "imphash": "f5d0254c5435291634c8b7357aa536bd", + "md5": "92dbf0a4c9239169010fc6e07859c82e", + "sha1": "634d8c12de82c422dfeba8f9a5fa84d03b7bcd35", + "sha256": "00fb2cf4420f0ffef519afe732a708cf249640121e2a891caa164313abd7f804" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608655872, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\Actioncenter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hash": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723868160, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257996, + "hash": { + "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", + "md5": "52d3d5e3586988d4d9e34acaac33105c", + "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", + "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746412544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\credssp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258110, + "hash": { + "imphash": "9ba63732839305b29ebe539451171b45", + "md5": "8130391f82d52d36c0441f714136957f", + "sha1": "e2bb102565986a42d0a43bd3f337f94dbe54eead", + "sha256": "1fd4fee7caf63e450f27729e07ea2a2f09288629fd872dbb6e8710b16d8dbd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608131584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imapi2.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258038, + "hash": { + "imphash": "e070eff3751fea77ccd424469a9a07e6", + "md5": "6a5c1a8ac0b572679361026d0e900420", + "sha1": "fd9241fdda4b9d08ff1e205f9d5f78923ab884d8", + "sha256": "b5e693b48b462e97738a3d4e58b60846159649eb15f4d11074b4bc107cc88562" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791607345152, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hgcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535139, + "hash": { + "imphash": "1e00eab90042e5099339cb82841b434a", + "md5": "f7073c962c4fb7c415565dde109de49f", + "sha1": "671c2e910ff954700b3a1f80608423697895c0a9", + "sha256": "781e7088dcefbc34a808c3e7da41a56112b3f23abe9f54b5ef4d5cd9cd016b1d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791680090112, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\npmproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258777, + "hash": { + "imphash": "d402ebf00a5cffa66b6682780c262457", + "md5": "6b851e682a36453e1b1ee297ffb6e2ab", + "sha1": "3dc85ba13d1f720e8039865817bcc65dc0f1d35b", + "sha256": "a641d3fd9463c4788b45b8b5584ea4489c1f63a71b4b595ae85ff3482cd5eda6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791606099968, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QAgent.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534818, + "hash": { + "imphash": "09bf801b36364c598a2a8fdff079932c", + "md5": "cd1b5ad07e5f7fef30e055dcc9e96180", + "sha1": "4e835fdadd0c67fde44e385f69a1014d6ad11f4f", + "sha256": "63c58551f32b0b09377f64a6ae1fa81af93b8a707a57a8c18722086906ad3046" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745167360, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVRTL.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258413, + "hash": { + "imphash": "08a9b8e4e42e5520be662b4663289747", + "md5": "1eac1a8ca6874bf5b15e2efb9a9a7b86", + "sha1": "30cff16f17833aa042d8b6cc32d86c4a39c77c67", + "sha256": "e15ed4fefc3010c213694331ddfdc03767682325c898d773ab243e2dc8b08461" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633100800, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MsftEdit.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258939, + "hash": { + "imphash": "6ac24d44010fe2db4d5e9e0651b7a3cf", + "md5": "f9959237f106f2b2609e61a290c0652e", + "sha1": "7f7c92c4fe8244a7deac7fed4d5576042bfba29e", + "sha256": "fccc12e5aae1773bf87b1c4bce71d017db1a5a7ac189559058ea1ecc72075a82" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628709888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\werconcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535233, + "hash": { + "imphash": "cce75846cdf9d74f85e44fc728ee8440", + "md5": "9689a9c7f7c2a1a423cda2c3b43fff65", + "sha1": "ebe6b3066634239a4f62780a8a6e27f33b0afc87", + "sha256": "914ad22d98975578bc14d821f72e8dfce24f2092f9c299d24ebbaf5408fe8b8b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791646994432, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257998, + "hash": { + "imphash": "6e52c6bdbfd3d257064382284bd4f59c", + "md5": "1484b9ebf567346582de571b0e164ae0", + "sha1": "6b87eb7005fe659f976732307fe12b96747dfc8d", + "sha256": "9862bf22b2e32dabe7a82acee5b4ea1f0a93bdc3c71b20a6a4e568cccd76a7a6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628382208, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\framedynos.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535235, + "hash": { + "imphash": "64b92457c7762d63f903189058d583ca", + "md5": "7e591867422dc788b9e5bd337a669a08", + "sha1": "3bd1b2a2271d6756351d9b4876193efd8a845da0", + "sha256": "484e6bccdf7adce9a1aacad1bc7c7d7694b9e40fa90d94b14d80c607784f6c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628251136, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wercplsupport.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258497, + "hash": { + "imphash": "2814c7c81c59e8a913c288a8c72a9c1c", + "md5": "5c29199c9f0ede64f17f268084ec4392", + "sha1": "a767e893427f9b24fe06cbb3a155dd54162a402a", + "sha256": "ea9fd588a8c89399dd287399a912b356a4234cfe418239b227d255749f5ddde2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791652564992, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml6.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534858, + "hash": { + "imphash": "2ab209fb6a68c8e15483324a442c1c4c", + "md5": "809ae7d4ace06bbcf621e5c504bf6fc8", + "sha1": "c0e2202d99db67a9efa6c67226410ad3c7b657a6", + "sha256": "0baab89fb57468f27446947d75cbd6ddfc92d9b8f040144a12656803b2f7bf65" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722491904, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hcproviders.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258095, + "hash": { + "imphash": "328b1cd6b239c7c01904019379bede4b", + "md5": "77a8a1791145710c7efe76ea82bf0763", + "sha1": "e421318d7b6d66c9214722c736f5b3d4207acf74", + "sha256": "9488b96e065299d273f9dcc82aa1203b48f0038d4f27324da19e9bfd925ca737" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791627726848, + "mapped_size": 0, + "path": "C:\\Program Files\\Internet Explorer\\ieproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258892, + "hash": { + "imphash": "ec50511b4e46da8b1a467667a84f8047", + "md5": "9cead32e79a62150fe9f8557e58e008b", + "sha1": "4cbd17b96209b5e2da683382e05cef55f48d6107", + "sha256": "afe4c1725ee94d7de0749ae1495a4e5cc33c369f29b2a589da66ffe27ff9777e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757357056, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SXS.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258896, + "hash": { + "imphash": "d75a096a9c47b1fd385a268e9c6f2f68", + "md5": "24f4b480f335a6c724af352253c5d98b", + "sha1": "a388cc90338cec7b5eec66e921599de0cc275a2b", + "sha256": "011413b236cad7b78ce0a0eec3e3085d48c7576a3205d025ba6ebfdf590538e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791660232704, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\thumbcache.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hash": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2009726976, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258093, + "hash": { + "imphash": "39d5c5468a8e87803234025334b9dc09", + "md5": "f1115299b9f4c983bc4523b33e3a506c", + "sha1": "639946c23b630798284a92117882990ea31d702e", + "sha256": "01a1d8b3e5cf727f92f4a43d5c5f81022127d58a850d29d3f084ad411efbc9dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791578836992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ieframe.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535131, + "hash": { + "imphash": "84786d42c8a896b9a971b3c9eb8feb4c", + "md5": "9869a4a10b90546dbd56947839fb4b87", + "sha1": "5d9642f314d62dc5834cbd7950230bad3f85d982", + "sha256": "66c84dcf39d9f6896d55b1623184a028891a0a98abe6044de1d4bad60c3c8d72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791591157760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEACC.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258887, + "hash": { + "imphash": "e6c083bfcedd032db2c66cd04f74c620", + "md5": "4e81439902079c348b61d7ff027fe147", + "sha1": "4386a5580b459aa4a0701addb753c3f9bf3da6f7", + "sha256": "e652c9ec77745504689532b3c394959f9b5bc29e9c008cb9ee09cda818514fa9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791658594304, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\StructuredQuery.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258589, + "hash": { + "imphash": "45badcf3f18f69f9f72af5245898d1cb", + "md5": "405f4d32d2185f1f1bd753d8eeaffb3a", + "sha1": "68bc45bac1e1584c789a6b3134bee5a2540f3e56", + "sha256": "cac42c3e09c43be96592b670d70821386014db22d8239a9cfb9e33e54fb5c3d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791656890368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NetworkExplorer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258495, + "hash": { + "imphash": "cdb39fb77293fb1bb86c2d5980ea8e88", + "md5": "022b05cee68d7826a93aedb4f1eb369e", + "sha1": "e7055d6cacb8c3fae06dc10ad480c8e6b8b7b592", + "sha256": "3b864d1471ed0949b02f1fa251b987185abeaddcbecd44efdbb6a7b7f03ca8bc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791625760768, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml3.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258914, + "hash": { + "imphash": "6b6c83729fa36b04c301494d1eb07752", + "md5": "bb074f35b49eb2ea416962b596281e1e", + "sha1": "355fdb9e66ffad42144b1b6ec4d8eb357ed05d52", + "sha256": "e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791623598080, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\systemcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hash": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722557440, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hash": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722295296, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534877, + "hash": { + "imphash": "3e340766bf7f54e3e9746a945d4dcb71", + "md5": "a77be7cb3222b4fb0ac6c71d1c2698d4", + "sha1": "e68b4e0058fb130c765e5aa98af36e26563809db", + "sha256": "73566223914bf670df6b5931fa213e546713531b10391ed65b5256bbd7abde7f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735926784, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\DSROLE.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258758, + "hash": { + "imphash": "c888173aa662e52d4b6194ed15819a13", + "md5": "db76db15efc6e4d1153a6c5bc895948d", + "sha1": "00dc6172c4507def32e4a269c08e76ab09abc3fe", + "sha256": "71ddf02c7ee2df66a08f1a2a08da39802c354624880a2be93a706ea7476422a3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690641408, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SPPC.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535243, + "hash": { + "imphash": "9484a9d0a0e3ef20592c9f66412400a6", + "md5": "666a60f6f5e719856ff6254e0966eff7", + "sha1": "10258e708443bd21997e7a977b5ee36bd758e368", + "sha256": "58c072e7e215991e19c1ca062c476081982f7b9f039714539ae7feb4981c200f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716200448, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258938, + "hash": { + "imphash": "03a62984ba62616e18740e69949df533", + "md5": "7db5aa22a8a8e5c2d335f44853c1f6de", + "sha1": "add6f6e2b6df5f571d06db724de5c7badad4e775", + "sha256": "a734a20357026c42950394682a52cbc3af956d09f1949e1b4e95467e999bc428" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690051584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbemcomn.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535244, + "hash": { + "imphash": "6178a249d43f815225b0a9205f1f4f70", + "md5": "718b6f51ab7f6fe2988a36868f9ad3ab", + "sha1": "7cc84a20d6597f58eebabea5489d72239c6e746b", + "sha256": "76141b4e94c2766e2c34cef523092948771a7893212efadbe88d2171b85ff012" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683170304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemsvc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534846, + "hash": { + "imphash": "c93ca8ec08e734d1b95c2a2d28884c47", + "md5": "a3f5e8ec1316c3e2562b82694a251c9e", + "sha1": "f0cdc2b44e609950ee97d9967c7459055a2af1a8", + "sha256": "f3dc6aa6a9d3b5bbc730668fc52c1d4bb5d515d404578bddd3d4869a7ed58822" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688675328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\fastprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535150, + "hash": { + "imphash": "29f9ce11d25836037034b49be93790c6", + "md5": "ee26d130808d16c0e417bbbed0451b34", + "sha1": "962d52fb4d8f9965c5fc11a98f2f9048a2a5d918", + "sha256": "4886dce4faef146a40babd492a8000a2022fea542a6135a9bafd4cd09297b4e5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688478720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NTDSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258103, + "hash": { + "imphash": "ba45ab39c8fb40e4076d27cf8e0f4180", + "md5": "b8509dcfcfd577f568be4026bfd982c0", + "sha1": "1923c5995faf94d9b1767aca04e3134a5cedc07a", + "sha256": "e3608e6de15c400fa437349e7295fef10a1a0213ca3b532a58964b8c89749110" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788355584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imagehlp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "explorer.exe", + "parent": { + "executable": "", + "name": "" + }, + "pid": 784, + "ppid": 704, + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted", + "start": 1542341500, + "threads": [ + { + "entrypoint": 4279023504, + "id": 1920, + "start": 1542341500, + "uptime": 437 + }, + { + "entrypoint": 2008002240, + "id": 1812, + "start": 1542341500, + "uptime": 437 + }, + { + "entrypoint": 8791783440744, + "id": 2472, + "start": 1542341500, + "uptime": 436 + }, + { + "entrypoint": 8791792141832, + "id": 2468, + "start": 1542341500, + "uptime": 436 + }, + { + "entrypoint": 8791790810108, + "id": 2464, + "start": 1542341500, + "uptime": 436 + }, + { + "entrypoint": 8791792141832, + "id": 2476, + "start": 1542341500, + "uptime": 435 + }, + { + "entrypoint": 2008021952, + "id": 1800, + "start": 1542341500, + "uptime": 434 + }, + { + "entrypoint": 2008021952, + "id": 2516, + "start": 1542341500, + "uptime": 433 + }, + { + "entrypoint": 8791792141832, + "id": 2500, + "start": 1542341500, + "uptime": 433 + }, + { + "entrypoint": 8791792141832, + "id": 1068, + "start": 1542341500, + "uptime": 432 + }, + { + "entrypoint": 8791792141832, + "id": 2676, + "start": 1542341500, + "uptime": 428 + }, + { + "entrypoint": 8791792141832, + "id": 2660, + "start": 1542341500, + "uptime": 428 + }, + { + "entrypoint": 8791792141832, + "id": 2748, + "start": 1542341500, + "uptime": 428 + }, + { + "entrypoint": 8791729529348, + "id": 2636, + "start": 1542341500, + "uptime": 428 + }, + { + "entrypoint": 8791792141832, + "id": 2732, + "start": 1542341500, + "uptime": 424 + }, + { + "entrypoint": 8791783440744, + "id": 1472, + "start": 1542341500, + "uptime": 419 + }, + { + "entrypoint": 2008021952, + "id": 2220, + "start": 1542341500, + "uptime": 415 + }, + { + "entrypoint": 2008021952, + "id": 2332, + "start": 1542341800, + "uptime": 104 + }, + { + "entrypoint": 2008021952, + "id": 3712, + "start": 1542341800, + "uptime": 99 + }, + { + "entrypoint": 8791792141832, + "id": 2080, + "start": 1542341800, + "uptime": 85 + }, + { + "entrypoint": 2008021952, + "id": 4012, + "start": 1542341800, + "uptime": 81 + }, + { + "entrypoint": 2008021952, + "id": 4060, + "start": 1542341800, + "uptime": 81 + }, + { + "entrypoint": 2008021952, + "id": 520, + "start": 1542341800, + "uptime": 77 + }, + { + "entrypoint": 2008021952, + "id": 3236, + "start": 1542341800, + "uptime": 74 + }, + { + "entrypoint": 2008021952, + "id": 3260, + "start": 1542341800, + "uptime": 72 + }, + { + "entrypoint": 8791792141832, + "id": 3680, + "start": 1542341900, + "uptime": 56 + }, + { + "entrypoint": 2008021952, + "id": 3708, + "start": 1542341900, + "uptime": 55 + }, + { + "entrypoint": 2008021952, + "id": 2512, + "start": 1542341900, + "uptime": 55 + }, + { + "entrypoint": 8791792141832, + "id": 3748, + "start": 1542341900, + "uptime": 54 + }, + { + "entrypoint": 8791690668104, + "id": 3872, + "start": 1542341900, + "uptime": 51 + }, + { + "entrypoint": 8791683305488, + "id": 1016, + "start": 1542341900, + "uptime": 26 + }, + { + "entrypoint": 2008021952, + "id": 3520, + "start": 1542341900, + "uptime": 26 + }, + { + "entrypoint": 8791792141832, + "id": 3992, + "start": 1542341900, + "uptime": 13 + }, + { + "entrypoint": 8791760904360, + "id": 3604, + "start": 1542341900, + "uptime": 12 + } + ], + "token": { + "domain": "WIN-Q3DOP1UKA81", + "integrity_level": 12288, + "integrity_level_name": "high", + "privileges": [ + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": false, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": false, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": false, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": false, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": false, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Back up files and directories", + "enabled": false, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": false, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": false, + "name": "SeDebugPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Force shutdown from a remote system", + "enabled": false, + "name": "SeRemoteShutdownPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": false, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": false, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": false, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "type": "tokenPrimary", + "user": "Administrator" + }, + "unique_pid": 35, + "unique_ppid": 0, + "uptime": 437, + "user": "Administrator" + }, + "user": { + "group": {} + } + } + } + ], + "max_score": 1.0, + "total": { + "relation": "eq", + "value": 21 + } + }, + "timed_out": false, + "took": 2 +} diff --git a/x-pack/plugins/endpoint/server/test_data/all_alerts_data_legacy.json b/x-pack/plugins/endpoint/server/test_data/all_alerts_data_legacy.json new file mode 100644 index 00000000000000..3863baed387aaf --- /dev/null +++ b/x-pack/plugins/endpoint/server/test_data/all_alerts_data_legacy.json @@ -0,0 +1,15 @@ +{ + "_shards": { + "failed": 0, + "skipped": 0, + "successful": 1, + "total": 1 + }, + "hits": { + "hits": [], + "max_score": 1.0, + "total": 21 + }, + "timed_out": false, + "took": 2 +} diff --git a/x-pack/plugins/endpoint/server/types.ts b/x-pack/plugins/endpoint/server/types.ts index f06cc10f16709d..a0c9cd4b90266d 100644 --- a/x-pack/plugins/endpoint/server/types.ts +++ b/x-pack/plugins/endpoint/server/types.ts @@ -6,7 +6,25 @@ import { LoggerFactory } from 'kibana/server'; import { EndpointConfigType } from './config'; +/** + * A JSON-like structure. + */ +export interface JSONish { + [key: string]: number | string | null | undefined | JSONish | JSONish[]; +} + +/** + * The context for Endpoint apps. + */ export interface EndpointAppContext { logFactory: LoggerFactory; config(): Promise; } + +/** + * Request params for alert queries. + */ +export interface AlertRequestParams { + page_index?: number; + page_size?: number; +} diff --git a/x-pack/test/api_integration/apis/endpoint/alerts.ts b/x-pack/test/api_integration/apis/endpoint/alerts.ts new file mode 100644 index 00000000000000..c08d17e96b1801 --- /dev/null +++ b/x-pack/test/api_integration/apis/endpoint/alerts.ts @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +import expect from '@kbn/expect/expect.js'; +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function({ getService }: FtrProviderContext) { + const esArchiver = getService('esArchiver'); + const supertest = getService('supertest'); + describe('test alerts api', () => { + describe('Tests for alerts API', () => { + before(() => esArchiver.load('endpoint/alerts/api_feature')); + after(() => esArchiver.unload('endpoint/alerts/api_feature')); + it('alerts api should return one entry for each alert with default paging', async () => { + const { body } = await supertest + .post('/api/endpoint/alerts') + .set('kbn-xsrf', 'xxx') + .send({}) + .expect(200); + expect(body.total).to.eql(132); + expect(body.alerts.length).to.eql(10); + expect(body.request_page_size).to.eql(10); + expect(body.request_page_index).to.eql(0); + expect(body.result_from_index).to.eql(0); + }); + + it('alerts api should return page based on paging properties passed.', async () => { + const { body } = await supertest + .post('/api/endpoint/alerts') + .set('kbn-xsrf', 'xxx') + .send({ + page_size: 1, + page_index: 1, + }) + .expect(200); + expect(body.total).to.eql(132); + expect(body.alerts.length).to.eql(1); + expect(body.request_page_size).to.eql(1); + expect(body.request_page_index).to.eql(1); + expect(body.result_from_index).to.eql(1); + }); + + it('alerts api should return accurate total alerts if page index produces no result', async () => { + const { body } = await supertest + .get('/api/endpoint/alerts?page_size=100&page_index=3') + .set('kbn-xsrf', 'xxx') + .expect(200); + expect(body.total).to.eql(132); + expect(body.alerts.length).to.eql(0); + expect(body.request_page_size).to.eql(100); + expect(body.request_page_index).to.eql(3); + expect(body.result_from_index).to.eql(300); + }); + + it('alerts api should return 400 when paging properties are below boundaries.', async () => { + const { body } = await supertest + .get('/api/endpoint/alerts?page_size=0') + .set('kbn-xsrf', 'xxx') + .expect(400); + expect(body.message).to.contain('Value is [0] but it must be equal to or greater than [1]'); + }); + }); + }); +} diff --git a/x-pack/test/api_integration/apis/endpoint/index.ts b/x-pack/test/api_integration/apis/endpoint/index.ts index a3f0e828d7240f..238c63640386aa 100644 --- a/x-pack/test/api_integration/apis/endpoint/index.ts +++ b/x-pack/test/api_integration/apis/endpoint/index.ts @@ -8,7 +8,9 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('Endpoint plugin', function() { + this.tags(['endpoint']); loadTestFile(require.resolve('./resolver')); loadTestFile(require.resolve('./endpoints')); + loadTestFile(require.resolve('./alerts')); }); } diff --git a/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/data.json.gz b/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/data.json.gz new file mode 100644 index 00000000000000..8d3c9fe5fd2338 Binary files /dev/null and b/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/data.json.gz differ diff --git a/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/mappings.json b/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/mappings.json new file mode 100644 index 00000000000000..725a58af993252 --- /dev/null +++ b/x-pack/test/functional/es_archives/endpoint/alerts/api_feature/mappings.json @@ -0,0 +1,5265 @@ +{ + "type": "index", + "value": { + "aliases": { + }, + "index": "my-index", + "mappings": { + "_meta": { + "version": "1.5.0-dev" + }, + "date_detection": false, + "dynamic": "strict", + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "call_stack": { + "properties": { + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_section": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "rva": { + "ignore_above": 1024, + "type": "keyword" + }, + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file_classification": { + "properties": { + "captured_file": { + "type": "boolean" + }, + "entry_modified": { + "type": "double" + }, + "is_signature_trusted": { + "type": "boolean" + }, + "macro_details": { + "properties": { + "code_page": { + "type": "long" + }, + "errors": { + "properties": { + "count": { + "type": "long" + }, + "error_type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "file_extension": { + "type": "long" + }, + "macro_collection_hashes": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project_file_hashes": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stream_data": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_code_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + } + } + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "quarantine_result": { + "properties": { + "alert_correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "temp_file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_blacklisted": { + "type": "boolean" + }, + "yara_hits": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "modules": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compile_time": { + "type": "date" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mapped_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_size": { + "type": "long" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_exports": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ordinal": { + "type": "long" + } + }, + "type": "nested" + }, + "pe_imports": { + "properties": { + "dll_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_names": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "argv_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_percent": { + "type": "double" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "defense_evasions": { + "properties": { + "call_stack": { + "properties": { + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_section": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "rva": { + "ignore_above": 1024, + "type": "keyword" + }, + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "delta_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "evasion_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "evasion_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_sections": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "properties": { + "thread_id": { + "type": "long" + }, + "thread_start_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "total_memory_size": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "env_variables": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "file_hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gid": { + "type": "long" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "handle": { + "properties": { + "handle_id": { + "type": "long" + }, + "handle_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "handle_type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "has_unbacked_execute_memory": { + "type": "boolean" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash_matched_module": { + "type": "boolean" + }, + "is_endpoint": { + "type": "boolean" + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "memory_percent": { + "type": "double" + }, + "memory_region": { + "properties": { + "allocation_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram": { + "properties": { + "histogram_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram_flavor": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram_resolution": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "length": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unbacked_on_disk": { + "type": "boolean" + } + }, + "type": "nested" + }, + "modules": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compile_time": { + "type": "date" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mapped_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_size": { + "type": "long" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_exports": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ordinal": { + "type": "long" + } + }, + "type": "nested" + }, + "pe_imports": { + "properties": { + "dll_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_names": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "num_threads": { + "type": "long" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe_info": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compile_time": { + "type": "long" + }, + "entry_point_address": { + "type": "long" + }, + "is_dll": { + "type": "boolean" + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe_exports": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ordinal": { + "type": "long" + } + }, + "type": "nested" + }, + "pe_imports": { + "properties": { + "dll_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_names": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "resources": { + "properties": { + "resource_data": { + "properties": { + "entropy": { + "type": "double" + }, + "size": { + "type": "long" + } + } + }, + "resource_id": { + "type": "long" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sections": { + "properties": { + "entropy": { + "type": "double" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_size": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_info": { + "properties": { + "code_page": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "type": "long" + }, + "value_string": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "phys_memory_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "services": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "type": "long" + }, + "short_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threads": { + "properties": { + "entrypoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "type": "long" + }, + "start": { + "type": "date" + }, + "uptime": { + "type": "long" + } + }, + "type": "nested" + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "impersonation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "integrity_level": { + "type": "long" + }, + "integrity_level_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_appcontainer": { + "type": "boolean" + }, + "privileges": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty_device_major_number": { + "type": "integer" + }, + "tty_device_minor_number": { + "type": "integer" + }, + "tty_device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "type": "long" + }, + "unbacked_execute_byte_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "unbacked_execute_region_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_ppid": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "virt_memory_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "argv_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_percent": { + "type": "double" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "defense_evasions": { + "properties": { + "call_stack": { + "properties": { + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_section": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "rva": { + "ignore_above": 1024, + "type": "keyword" + }, + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "delta_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "evasion_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "evasion_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_sections": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "properties": { + "thread_id": { + "type": "long" + }, + "thread_start_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "total_memory_size": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "env_variables": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "file_hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gid": { + "type": "long" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "handle": { + "properties": { + "handle_id": { + "type": "long" + }, + "handle_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "handle_type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "has_unbacked_execute_memory": { + "type": "boolean" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash_matched_module": { + "type": "boolean" + }, + "is_endpoint": { + "type": "boolean" + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "memory_percent": { + "type": "double" + }, + "memory_region": { + "properties": { + "allocation_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram": { + "properties": { + "histogram_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram_flavor": { + "ignore_above": 1024, + "type": "keyword" + }, + "histogram_resolution": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "length": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unbacked_on_disk": { + "type": "boolean" + } + }, + "type": "nested" + }, + "modules": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compile_time": { + "type": "date" + }, + "hash": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mapped_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_size": { + "type": "long" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_exports": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ordinal": { + "type": "long" + } + }, + "type": "nested" + }, + "pe_imports": { + "properties": { + "dll_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_names": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "num_threads": { + "type": "long" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe_info": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticode": { + "properties": { + "cert_signer": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cert_timestamp": { + "properties": { + "issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "more_info_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "program_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher_link": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compile_time": { + "type": "long" + }, + "entry_point_address": { + "type": "long" + }, + "is_dll": { + "type": "boolean" + }, + "malware_classification": { + "properties": { + "compressed_malware_features": { + "properties": { + "data_buffer": { + "ignore_above": 1024, + "type": "keyword" + }, + "decompressed_size": { + "type": "integer" + }, + "encoding": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "prevention_threshold": { + "type": "double" + }, + "score": { + "type": "double" + }, + "threshold": { + "type": "double" + }, + "upx_packed": { + "type": "boolean" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe_exports": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ordinal": { + "type": "long" + } + }, + "type": "nested" + }, + "pe_imports": { + "properties": { + "dll_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_names": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "resources": { + "properties": { + "resource_data": { + "properties": { + "entropy": { + "type": "double" + }, + "size": { + "type": "long" + } + } + }, + "resource_id": { + "type": "long" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sections": { + "properties": { + "entropy": { + "type": "double" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_size": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_info": { + "properties": { + "code_page": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "type": "long" + }, + "value_string": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "phys_memory_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "services": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "type": "long" + }, + "short_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_signer": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threads": { + "properties": { + "entrypoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "type": "long" + }, + "start": { + "type": "date" + }, + "uptime": { + "type": "long" + } + }, + "type": "nested" + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "impersonation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "integrity_level": { + "type": "long" + }, + "integrity_level_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_appcontainer": { + "type": "boolean" + }, + "privileges": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty_device_major_number": { + "type": "integer" + }, + "tty_device_minor_number": { + "type": "integer" + }, + "tty_device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "type": "long" + }, + "unbacked_execute_byte_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "unbacked_execute_region_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_ppid": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "virt_memory_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "call_stack": { + "properties": { + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_section": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "rva": { + "ignore_above": 1024, + "type": "keyword" + }, + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "start_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_address_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "impersonation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "integrity_level": { + "type": "long" + }, + "integrity_level_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_appcontainer": { + "type": "boolean" + }, + "privileges": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "thread": { + "properties": { + "call_stack": { + "properties": { + "instruction_pointer": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_section": { + "properties": { + "memory_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "rva": { + "ignore_above": 1024, + "type": "keyword" + }, + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "start_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_address_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "impersonation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "integrity_level": { + "type": "long" + }, + "integrity_level_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_appcontainer": { + "type": "boolean" + }, + "privileges": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "token": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "impersonation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "integrity_level": { + "type": "long" + }, + "integrity_level_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_appcontainer": { + "type": "boolean" + }, + "privileges": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "1", + "number_of_shards": "1", + "refresh_interval": "1s" + } + } + } +} \ No newline at end of file