Skip to content

CAPA Cache Error#3185

Merged
mlodic merged 3 commits intointelowlproject:developfrom
AnshSinghal:3157_capa
Jan 12, 2026
Merged

CAPA Cache Error#3185
mlodic merged 3 commits intointelowlproject:developfrom
AnshSinghal:3157_capa

Conversation

@AnshSinghal
Copy link
Contributor

@AnshSinghal AnshSinghal commented Jan 11, 2026
edited
Loading

Closes #3157

Description

Please include a summary of the change and link to the related issue.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
    • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
    • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
    • If a new analyzer has beed added, I have created a unittest for it in the appropriate dir. I have also mocked all the external calls, so that no real calls are being made while testing.
    • I have added that raw JSON sample to the get_mocker_response() method of the unittest class. This serves us to provide a valid sample for testing.
    • I have created the corresponding DataModel for the new analyzer following the documentation
  • I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
  • Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
  • If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.
  • After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

  • If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
  • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review by using GitHub's reviewing system detailed here.
image 
{
  "id": 2,
  "user": { "username": "admin" },
  "tags": [],
  "comments": [],
  "status": "reported_without_fails",
  "pivots_to_execute": [],
  "analyzers_to_execute": ["Capa_Info"],
  "analyzers_requested": ["Capa_Info"],
  "connectors_to_execute": [],
  "connectors_requested": [],
  "visualizers_to_execute": [],
  "playbook_requested": null,
  "playbook_to_execute": null,
  "investigation_id": null,
  "investigation_name": null,
  "permissions": { "kill": true, "delete": true, "plugin_actions": true },
  "data_model": {
    "id": 2,
    "analyzers_report": [],
    "signatures": [],
    "evaluation": null,
    "reliability": 5,
    "kill_chain_phase": null,
    "external_references": [],
    "related_threats": [],
    "tags": null,
    "malware_family": null,
    "additional_info": {},
    "date": "2026-01-11T15:36:30.677316Z",
    "comments": [],
    "file_information": {},
    "stats": {}
  },
  "file_name": "wildfire-test-pe-file.exe",
  "file_mimetype": "application/vnd.microsoft.portable-executable",
  "is_sample": true,
  "observable_name": "wildfire-test-pe-file.exe",
  "observable_classification": "file",
  "md5": "3a4ecbcf3309ddd33fcb63bd1c343f33",
  "analyzer_reports": [
    {
      "name": "Capa_Info",
      "process_time": 16.07,
      "status": "SUCCESS",
      "end_time": "2026-01-11T15:36:30.304035Z",
      "parameters": { "arch": "64", "timeout": 15, "shellcode": false },
      "type": "analyzer",
      "id": 2,
      "report": {
        "meta": {
          "argv": [
            "--quiet",
            "--json",
            "-r",
            "/opt/deploy/files_required/capa/capa-rules",
            "-s",
            "/opt/deploy/files_required/capa/sigs",
            "/opt/deploy/files_required/3a4ecbcf3309ddd33fcb63bd1c343f33"
          ],
          "flavor": "static",
          "sample": {
            "md5": "3a4ecbcf3309ddd33fcb63bd1c343f33",
            "path": "/opt/deploy/files_required/3a4ecbcf3309ddd33fcb63bd1c343f33",
            "sha1": "8013b93a5da850f09d3f2677d99774c9702807b0",
            "sha256": "e9ae2c5bc607bb884761c0d18bf9d0f52f476746c268860d600fce6b29248101"
          },
          "version": "9.2.1",
          "analysis": {
            "os": "windows",
            "arch": "i386",
            "rules": ["/opt/deploy/files_required/capa/capa-rules"],
            "format": "pe",
            "layout": {
              "functions": [
                {
                  "address": { "type": "absolute", "value": 4198400 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4198400 } },
                    { "address": { "type": "absolute", "value": 4198452 } },
                    { "address": { "type": "absolute", "value": 4198519 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4198584 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4199606 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4199012 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4199012 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4199035 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4199082 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4199183 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4199183 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4199606 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4199606 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4203960 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4203960 } },
                    { "address": { "type": "absolute", "value": 4203983 } },
                    { "address": { "type": "absolute", "value": 4203990 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4207778 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4207778 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4210287 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4210315 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4210325 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4210353 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4214462 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4214599 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4218016 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4218101 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4218212 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4218212 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4224259 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4224259 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4232451 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4232451 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4232772 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4232772 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4232880 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4232880 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4233040 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4233040 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4233212 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4233212 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4233292 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4233292 } }
                  ]
                },
                {
                  "address": { "type": "absolute", "value": 4233428 },
                  "matched_basic_blocks": [
                    { "address": { "type": "absolute", "value": 4233428 } }
                  ]
                }
              ]
            },
            "extractor": "VivisectFeatureExtractor",
            "base_address": { "type": "absolute", "value": 4194304 },
            "feature_counts": {
              "file": 901,
              "functions": [
                {
                  "count": 45,
                  "address": { "type": "absolute", "value": 4198400 }
                },
                {
                  "count": 11,
                  "address": { "type": "absolute", "value": 4198576 }
                },
                {
                  "count": 43,
                  "address": { "type": "absolute", "value": 4198584 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4198813 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4198816 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4199002 }
                },
                {
                  "count": 18,
                  "address": { "type": "absolute", "value": 4199012 }
                },
                {
                  "count": 52,
                  "address": { "type": "absolute", "value": 4199035 }
                },
                {
                  "count": 21,
                  "address": { "type": "absolute", "value": 4199183 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4199534 }
                },
                {
                  "count": 24,
                  "address": { "type": "absolute", "value": 4199554 }
                },
                {
                  "count": 32,
                  "address": { "type": "absolute", "value": 4199868 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4200267 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4200270 }
                },
                {
                  "count": 17,
                  "address": { "type": "absolute", "value": 4200698 }
                },
                {
                  "count": 16,
                  "address": { "type": "absolute", "value": 4200703 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4200750 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4200759 }
                },
                {
                  "count": 8,
                  "address": { "type": "absolute", "value": 4201317 }
                },
                {
                  "count": 12,
                  "address": { "type": "absolute", "value": 4201829 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4203213 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4203216 }
                },
                {
                  "count": 16,
                  "address": { "type": "absolute", "value": 4203522 }
                },
                {
                  "count": 55,
                  "address": { "type": "absolute", "value": 4203960 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4207121 }
                },
                {
                  "count": 23,
                  "address": { "type": "absolute", "value": 4207757 }
                },
                {
                  "count": 18,
                  "address": { "type": "absolute", "value": 4207778 }
                },
                {
                  "count": 27,
                  "address": { "type": "absolute", "value": 4210287 }
                },
                {
                  "count": 26,
                  "address": { "type": "absolute", "value": 4210325 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4210363 }
                },
                {
                  "count": 11,
                  "address": { "type": "absolute", "value": 4210372 }
                },
                {
                  "count": 18,
                  "address": { "type": "absolute", "value": 4210650 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4210665 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4211102 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4211114 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4211117 }
                },
                {
                  "count": 10,
                  "address": { "type": "absolute", "value": 4211671 }
                },
                {
                  "count": 9,
                  "address": { "type": "absolute", "value": 4211690 }
                },
                {
                  "count": 17,
                  "address": { "type": "absolute", "value": 4212211 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4212216 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4212468 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4212474 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4212664 }
                },
                {
                  "count": 69,
                  "address": { "type": "absolute", "value": 4214462 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4214663 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4214666 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4214880 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4214883 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4215260 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4215820 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4216123 }
                },
                {
                  "count": 14,
                  "address": { "type": "absolute", "value": 4216142 }
                },
                {
                  "count": 49,
                  "address": { "type": "absolute", "value": 4218016 }
                },
                {
                  "count": 36,
                  "address": { "type": "absolute", "value": 4218161 }
                },
                {
                  "count": 35,
                  "address": { "type": "absolute", "value": 4218166 }
                },
                {
                  "count": 16,
                  "address": { "type": "absolute", "value": 4218212 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4220248 }
                },
                {
                  "count": 16,
                  "address": { "type": "absolute", "value": 4222126 }
                },
                {
                  "count": 8,
                  "address": { "type": "absolute", "value": 4223301 }
                },
                {
                  "count": 10,
                  "address": { "type": "absolute", "value": 4223305 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4223326 }
                },
                {
                  "count": 9,
                  "address": { "type": "absolute", "value": 4223343 }
                },
                {
                  "count": 11,
                  "address": { "type": "absolute", "value": 4223428 }
                },
                {
                  "count": 22,
                  "address": { "type": "absolute", "value": 4223794 }
                },
                {
                  "count": 22,
                  "address": { "type": "absolute", "value": 4223800 }
                },
                {
                  "count": 11,
                  "address": { "type": "absolute", "value": 4224230 }
                },
                {
                  "count": 56,
                  "address": { "type": "absolute", "value": 4224259 }
                },
                {
                  "count": 13,
                  "address": { "type": "absolute", "value": 4225759 }
                },
                {
                  "count": 15,
                  "address": { "type": "absolute", "value": 4226005 }
                },
                {
                  "count": 26,
                  "address": { "type": "absolute", "value": 4228677 }
                },
                {
                  "count": 11,
                  "address": { "type": "absolute", "value": 4232451 }
                },
                {
                  "count": 44,
                  "address": { "type": "absolute", "value": 4232772 }
                },
                {
                  "count": 17,
                  "address": { "type": "absolute", "value": 4232880 }
                },
                {
                  "count": 44,
                  "address": { "type": "absolute", "value": 4233040 }
                },
                {
                  "count": 38,
                  "address": { "type": "absolute", "value": 4233212 }
                },
                {
                  "count": 18,
                  "address": { "type": "absolute", "value": 4233292 }
                },
                {
                  "count": 22,
                  "address": { "type": "absolute", "value": 4233428 }
                },
                {
                  "count": 18,
                  "address": { "type": "absolute", "value": 4233459 }
                },
                {
                  "count": 7,
                  "address": { "type": "absolute", "value": 4234772 }
                }
              ]
            },
            "library_functions": [
              {
                "name": "__fclose_nolock",
                "address": { "type": "absolute", "value": 4198599 }
              },
              {
                "name": "_fclose",
                "address": { "type": "absolute", "value": 4198708 }
              },
              {
                "name": "__fsopen",
                "address": { "type": "absolute", "value": 4198824 }
              },
              {
                "name": "_fast_error_exit",
                "address": { "type": "absolute", "value": 4199202 }
              },
              {
                "name": "_mainCRTStartup",
                "address": { "type": "absolute", "value": 4199596 }
              },
              {
                "name": "___report_gsfailure",
                "address": { "type": "absolute", "value": 4199606 }
              },
              {
                "name": "__close_nolock",
                "address": { "type": "absolute", "value": 4199926 }
              },
              {
                "name": "__close",
                "address": { "type": "absolute", "value": 4200082 }
              },
              {
                "name": "__fileno",
                "address": { "type": "absolute", "value": 4200278 }
              },
              {
                "name": "__freebuf",
                "address": { "type": "absolute", "value": 4200316 }
              },
              {
                "name": "__flush",
                "address": { "type": "absolute", "value": 4200365 }
              },
              {
                "name": "__fflush_nolock",
                "address": { "type": "absolute", "value": 4200469 }
              },
              {
                "name": "_flsall",
                "address": { "type": "absolute", "value": 4200541 }
              },
              {
                "name": "?AFXSetTopLevelFrame@@YAXPAVCFrameWnd@@@Z",
                "address": { "type": "absolute", "value": 4200768 }
              },
              {
                "name": "__call_reportfault",
                "address": { "type": "absolute", "value": 4200783 }
              },
              {
                "name": "__invoke_watson",
                "address": { "type": "absolute", "value": 4201080 }
              },
              {
                "name": "__invalid_parameter",
                "address": { "type": "absolute", "value": 4201117 }
              },
              {
                "name": "__invalid_parameter_noinfo",
                "address": { "type": "absolute", "value": 4201162 }
              },
              {
                "name": "__get_errno_from_oserr",
                "address": { "type": "absolute", "value": 4201178 }
              },
              {
                "name": "__errno",
                "address": { "type": "absolute", "value": 4201244 }
              },
              {
                "name": "___doserrno",
                "address": { "type": "absolute", "value": 4201263 }
              },
              {
                "name": "__dosmaperr",
                "address": { "type": "absolute", "value": 4201282 }
              },
              {
                "name": "___initstdio",
                "address": { "type": "absolute", "value": 4201323 }
              },
              {
                "name": "___endstdio",
                "address": { "type": "absolute", "value": 4201500 }
              },
              {
                "name": "__lock_file",
                "address": { "type": "absolute", "value": 4201532 }
              },
              {
                "name": "__lock_file2",
                "address": { "type": "absolute", "value": 4201597 }
              },
              {
                "name": "__unlock_file",
                "address": { "type": "absolute", "value": 4201647 }
              },
              {
                "name": "__unlock_file2",
                "address": { "type": "absolute", "value": 4201707 }
              },
              {
                "name": "__SEH_prolog4",
                "address": { "type": "absolute", "value": 4201760 }
              },
              {
                "name": "__except_handler4",
                "address": { "type": "absolute", "value": 4201856 }
              },
              {
                "name": "__openfile",
                "address": { "type": "absolute", "value": 4202255 }
              },
              {
                "name": "__getstream",
                "address": { "type": "absolute", "value": 4202918 }
              },
              {
                "name": "__local_unwind4",
                "address": { "type": "absolute", "value": 4203232 }
              },
              {
                "name": "__unwind_handler4",
                "address": { "type": "absolute", "value": 4203376 }
              },
              {
                "name": "@_EH4_CallFilterFunc@8",
                "address": { "type": "absolute", "value": 4203474 }
              },
              {
                "name": "@_EH4_TransferToHandler@8",
                "address": { "type": "absolute", "value": 4203497 }
              },
              {
                "name": "ReturnPoint",
                "address": { "type": "absolute", "value": 4203542 }
              },
              {
                "name": "@_EH4_LocalUnwind@16",
                "address": { "type": "absolute", "value": 4203547 }
              },
              {
                "name": "__stbuf",
                "address": { "type": "absolute", "value": 4203570 }
              },
              {
                "name": "__ftbuf",
                "address": { "type": "absolute", "value": 4203726 }
              },
              {
                "name": "??0_LocaleUpdate@@QAE@PAUlocaleinfo_struct@@@Z",
                "address": { "type": "absolute", "value": 4203778 }
              },
              {
                "name": "_write_char",
                "address": { "type": "absolute", "value": 4203913 }
              },
              {
                "name": "__woutput_l",
                "address": { "type": "absolute", "value": 4204043 }
              },
              {
                "name": "?__CxxUnhandledExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z",
                "address": { "type": "absolute", "value": 4207055 }
              },
              {
                "name": "___crtCorExitProcess",
                "address": { "type": "absolute", "value": 4207135 }
              },
              {
                "name": "___crtExitProcess",
                "address": { "type": "absolute", "value": 4207178 }
              },
              {
                "name": "__lockexit",
                "address": { "type": "absolute", "value": 4207202 }
              },
              {
                "name": "__unlockexit",
                "address": { "type": "absolute", "value": 4207211 }
              },
              {
                "name": "__init_pointers",
                "address": { "type": "absolute", "value": 4207220 }
              },
              {
                "name": "__initterm_e",
                "address": { "type": "absolute", "value": 4207271 }
              },
              {
                "name": "__cinit",
                "address": { "type": "absolute", "value": 4207307 }
              },
              {
                "name": "_doexit",
                "address": { "type": "absolute", "value": 4207458 }
              },
              {
                "name": "__exit",
                "address": { "type": "absolute", "value": 4207800 }
              },
              {
                "name": "__cexit",
                "address": { "type": "absolute", "value": 4207822 }
              },
              {
                "name": "__c_exit",
                "address": { "type": "absolute", "value": 4207837 }
              },
              {
                "name": "__amsg_exit",
                "address": { "type": "absolute", "value": 4207852 }
              },
              {
                "name": "__GET_RTERRMSG",
                "address": { "type": "absolute", "value": 4207882 }
              },
              {
                "name": "__NMSG_WRITE",
                "address": { "type": "absolute", "value": 4207920 }
              },
              {
                "name": "__FF_MSGBANNER",
                "address": { "type": "absolute", "value": 4208351 }
              },
              {
                "name": "__XcptFilter",
                "address": { "type": "absolute", "value": 4208408 }
              },
              {
                "name": "__setenvp",
                "address": { "type": "absolute", "value": 4208738 }
              },
              {
                "name": "_parse_cmdline",
                "address": { "type": "absolute", "value": 4208958 }
              },
              {
                "name": "__setargv",
                "address": { "type": "absolute", "value": 4209368 }
              },
              {
                "name": "___crtGetEnvironmentStringsA",
                "address": { "type": "absolute", "value": 4209555 }
              },
              {
                "name": "__ioinit",
                "address": { "type": "absolute", "value": 4209706 }
              },
              {
                "name": "___set_flsgetvalue",
                "address": { "type": "absolute", "value": 4210381 }
              },
              {
                "name": "__mtterm",
                "address": { "type": "absolute", "value": 4210433 }
              },
              {
                "name": "__initptd",
                "address": { "type": "absolute", "value": 4210494 }
              },
              {
                "name": "__unlockexit",
                "address": { "type": "absolute", "value": 4210656 }
              },
              {
                "name": "__getptd_noexit",
                "address": { "type": "absolute", "value": 4210676 }
              },
              {
                "name": "__getptd",
                "address": { "type": "absolute", "value": 4210797 }
              },
              {
                "name": "__freefls@4",
                "address": { "type": "absolute", "value": 4210823 }
              },
              {
                "name": "__unlockexit",
                "address": { "type": "absolute", "value": 4211105 }
              },
              {
                "name": "__mtinit",
                "address": { "type": "absolute", "value": 4211126 }
              },
              {
                "name": "__heap_init",
                "address": { "type": "absolute", "value": 4211505 }
              },
              {
                "name": "___security_init_cookie",
                "address": { "type": "absolute", "value": 4211535 }
              },
              {
                "name": "__set_osfhnd",
                "address": { "type": "absolute", "value": 4211698 }
              },
              {
                "name": "__free_osfhnd",
                "address": { "type": "absolute", "value": 4211827 }
              },
              {
                "name": "__get_osfhandle",
                "address": { "type": "absolute", "value": 4211961 }
              },
              {
                "name": "___lock_fhandle",
                "address": { "type": "absolute", "value": 4212066 }
              },
              {
                "name": "__unlock_fhandle",
                "address": { "type": "absolute", "value": 4212225 }
              },
              {
                "name": "__alloc_osfhnd",
                "address": { "type": "absolute", "value": 4212264 }
              },
              {
                "name": "__write_nolock",
                "address": { "type": "absolute", "value": 4212673 }
              },
              {
                "name": "__commit",
                "address": { "type": "absolute", "value": 4214674 }
              },
              {
                "name": "__mtinitlocks",
                "address": { "type": "absolute", "value": 4214891 }
              },
              {
                "name": "__unlock",
                "address": { "type": "absolute", "value": 4215052 }
              },
              {
                "name": "__mtinitlocknum",
                "address": { "type": "absolute", "value": 4215075 }
              },
              {
                "name": "__lock",
                "address": { "type": "absolute", "value": 4215269 }
              },
              {
                "name": "_memset",
                "address": { "type": "absolute", "value": 4215328 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4215450 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4215519 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4215595 }
              },
              {
                "name": "__fcloseall",
                "address": { "type": "absolute", "value": 4215673 }
              },
              {
                "name": "__ValidateImageBase",
                "address": { "type": "absolute", "value": 4215840 }
              },
              {
                "name": "__FindPESection",
                "address": { "type": "absolute", "value": 4215904 }
              },
              {
                "name": "__IsNonwritableInCurrentImage",
                "address": { "type": "absolute", "value": 4215984 }
              },
              {
                "name": "__tsopen_nolock",
                "address": { "type": "absolute", "value": 4216172 }
              },
              {
                "name": "__mbsnbicmp_l",
                "address": { "type": "absolute", "value": 4218244 }
              },
              {
                "name": "__mbsnbicmp",
                "address": { "type": "absolute", "value": 4218760 }
              },
              {
                "name": "__mbsnbcmp_l",
                "address": { "type": "absolute", "value": 4218786 }
              },
              {
                "name": "__mbsnbcmp",
                "address": { "type": "absolute", "value": 4219118 }
              },
              {
                "name": "__global_unwind2",
                "address": { "type": "absolute", "value": 4219152 }
              },
              {
                "name": "__unwind_handler",
                "address": { "type": "absolute", "value": 4219184 }
              },
              {
                "name": "__local_unwind2",
                "address": { "type": "absolute", "value": 4219253 }
              },
              {
                "name": "_at_done",
                "address": { "type": "absolute", "value": 4219419 }
              },
              {
                "name": "__NLG_Notify",
                "address": { "type": "absolute", "value": 4219429 }
              },
              {
                "name": "__NLG_Call",
                "address": { "type": "absolute", "value": 4219460 }
              },
              {
                "name": "__isatty",
                "address": { "type": "absolute", "value": 4219463 }
              },
              {
                "name": "?CPtoLCID@@YAHH@Z",
                "address": { "type": "absolute", "value": 4219549 }
              },
              {
                "name": "?setSBCS@@YAXPAUthreadmbcinfostruct@@@Z",
                "address": { "type": "absolute", "value": 4219596 }
              },
              {
                "name": "?setSBUpLow@@YAXPAUthreadmbcinfostruct@@@Z",
                "address": { "type": "absolute", "value": 4219696 }
              },
              {
                "name": "___updatetmbcinfo",
                "address": { "type": "absolute", "value": 4220096 }
              },
              {
                "name": "__unlockexit",
                "address": { "type": "absolute", "value": 4220251 }
              },
              {
                "name": "?getSystemCP@@YAHH@Z",
                "address": { "type": "absolute", "value": 4220260 }
              },
              {
                "name": "__setmbcp_nolock",
                "address": { "type": "absolute", "value": 4220384 }
              },
              {
                "name": "__setmbcp",
                "address": { "type": "absolute", "value": 4220873 }
              },
              {
                "name": "__unlockexit",
                "address": { "type": "absolute", "value": 4221226 }
              },
              {
                "name": "___initmbctable",
                "address": { "type": "absolute", "value": 4221283 }
              },
              {
                "name": "___addlocaleref",
                "address": { "type": "absolute", "value": 4221313 }
              },
              {
                "name": "___removelocaleref",
                "address": { "type": "absolute", "value": 4221456 }
              },
              {
                "name": "___freetlocinfo",
                "address": { "type": "absolute", "value": 4221609 }
              },
              {
                "name": "__updatetlocinfoEx_nolock",
                "address": { "type": "absolute", "value": 4221940 }
              },
              {
                "name": "___updatetlocinfo",
                "address": { "type": "absolute", "value": 4222017 }
              },
              {
                "name": "__fputwc_nolock",
                "address": { "type": "absolute", "value": 4222138 }
              },
              {
                "name": "__initp_misc_cfltcvt_tab",
                "address": { "type": "absolute", "value": 4222529 }
              },
              {
                "name": "__get_printf_count_output",
                "address": { "type": "absolute", "value": 4222564 }
              },
              {
                "name": "_strlen",
                "address": { "type": "absolute", "value": 4222592 }
              },
              {
                "name": "__mbtowc_l",
                "address": { "type": "absolute", "value": 4222731 }
              },
              {
                "name": "_mbtowc",
                "address": { "type": "absolute", "value": 4223009 }
              },
              {
                "name": "__isleadbyte_l",
                "address": { "type": "absolute", "value": 4223035 }
              },
              {
                "name": "_isleadbyte",
                "address": { "type": "absolute", "value": 4223091 }
              },
              {
                "name": "__aulldvrm",
                "address": { "type": "absolute", "value": 4223120 }
              },
              {
                "name": "?terminate@@YAXXZ",
                "address": { "type": "absolute", "value": 4223269 }
              },
              {
                "name": "_siglookup",
                "address": { "type": "absolute", "value": 4223373 }
              },
              {
                "name": "_raise",
                "address": { "type": "absolute", "value": 4223441 }
              },
              {
                "name": "?AFXSetTopLevelFrame@@YAXPAVCFrameWnd@@@Z",
                "address": { "type": "absolute", "value": 4223860 }
              },
              {
                "name": "?AFXSetTopLevelFrame@@YAXPAVCFrameWnd@@@Z",
                "address": { "type": "absolute", "value": 4223875 }
              },
              {
                "name": "?AFXSetTopLevelFrame@@YAXPAVCFrameWnd@@@Z",
                "address": { "type": "absolute", "value": 4223890 }
              },
              {
                "name": "__callnewh",
                "address": { "type": "absolute", "value": 4223905 }
              },
              {
                "name": "__onexit_nolock",
                "address": { "type": "absolute", "value": 4223945 }
              },
              {
                "name": "___onexitinit",
                "address": { "type": "absolute", "value": 4224127 }
              },
              {
                "name": "__onexit",
                "address": { "type": "absolute", "value": 4224176 }
              },
              {
                "name": "_atexit",
                "address": { "type": "absolute", "value": 4224236 }
              },
              {
                "name": "_wcscat_s",
                "address": { "type": "absolute", "value": 4224623 }
              },
              {
                "name": "_wcsncpy_s",
                "address": { "type": "absolute", "value": 4224740 }
              },
              {
                "name": "_wcslen",
                "address": { "type": "absolute", "value": 4224945 }
              },
              {
                "name": "_wcscpy_s",
                "address": { "type": "absolute", "value": 4224972 }
              },
              {
                "name": "__set_error_mode",
                "address": { "type": "absolute", "value": 4225071 }
              },
              {
                "name": "_strcpy_s",
                "address": { "type": "absolute", "value": 4225134 }
              },
              {
                "name": "?x_ismbbtype_l@@YAHPAUlocaleinfo_struct@@IHH@Z",
                "address": { "type": "absolute", "value": 4225229 }
              },
              {
                "name": "__ismbblead",
                "address": { "type": "absolute", "value": 4225312 }
              },
              {
                "name": "__putwch_nolock",
                "address": { "type": "absolute", "value": 4225336 }
              },
              {
                "name": "__lseeki64_nolock",
                "address": { "type": "absolute", "value": 4225402 }
              },
              {
                "name": "__lseeki64",
                "address": { "type": "absolute", "value": 4225535 }
              },
              {
                "name": "__alloca_probe",
                "address": { "type": "absolute", "value": 4225776 }
              },
              {
                "name": "_malloc",
                "address": { "type": "absolute", "value": 4226021 }
              },
              {
                "name": "__calloc_impl",
                "address": { "type": "absolute", "value": 4226169 }
              },
              {
                "name": "_realloc",
                "address": { "type": "absolute", "value": 4226299 }
              },
              {
                "name": "__chsize_nolock",
                "address": { "type": "absolute", "value": 4226472 }
              },
              {
                "name": "__read_nolock",
                "address": { "type": "absolute", "value": 4226910 }
              },
              {
                "name": "__lseek_nolock",
                "address": { "type": "absolute", "value": 4228373 }
              },
              {
                "name": "__setmode_nolock",
                "address": { "type": "absolute", "value": 4228490 }
              },
              {
                "name": "__strnicmp_l",
                "address": { "type": "absolute", "value": 4228722 }
              },
              {
                "name": "__strnicmp",
                "address": { "type": "absolute", "value": 4228948 }
              },
              {
                "name": "_strncmp",
                "address": { "type": "absolute", "value": 4229031 }
              },
              {
                "name": "__freea",
                "address": { "type": "absolute", "value": 4229223 }
              },
              {
                "name": "?__crtLCMapStringA_stat@@YAHPAUlocaleinfo_struct@@KKPBDHPADHHH@Z",
                "address": { "type": "absolute", "value": 4229255 }
              },
              {
                "name": "___crtLCMapStringA",
                "address": { "type": "absolute", "value": 4229742 }
              },
              {
                "name": "?__crtGetStringTypeA_stat@@YAHPAUlocaleinfo_struct@@KPBDHPAGHHH@Z",
                "address": { "type": "absolute", "value": 4229812 }
              },
              {
                "name": "___crtGetStringTypeA",
                "address": { "type": "absolute", "value": 4230043 }
              },
              {
                "name": "___free_lc_time",
                "address": { "type": "absolute", "value": 4230107 }
              },
              {
                "name": "___free_lconv_num",
                "address": { "type": "absolute", "value": 4230994 }
              },
              {
                "name": "___free_lconv_mon",
                "address": { "type": "absolute", "value": 4231099 }
              },
              {
                "name": "__flswbuf",
                "address": { "type": "absolute", "value": 4231353 }
              },
              {
                "name": "__flsbuf",
                "address": { "type": "absolute", "value": 4231725 }
              },
              {
                "name": "__wctomb_s_l",
                "address": { "type": "absolute", "value": 4232081 }
              },
              {
                "name": "_wctomb_s",
                "address": { "type": "absolute", "value": 4232422 }
              },
              {
                "name": "_abort",
                "address": { "type": "absolute", "value": 4232460 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4232512 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4232660 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4232704 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4232740 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4233092 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4233132 }
              },
              {
                "name": "?",
                "address": { "type": "absolute", "value": 4233377 }
              },
              {
                "name": "__tolower_l",
                "address": { "type": "absolute", "value": 4233482 }
              },
              {
                "name": "___ascii_strnicmp",
                "address": { "type": "absolute", "value": 4233760 }
              },
              {
                "name": "__alloca_probe_16",
                "address": { "type": "absolute", "value": 4233872 }
              },
              {
                "name": "__getbuf",
                "address": { "type": "absolute", "value": 4233916 }
              },
              {
                "name": "__isctype_l",
                "address": { "type": "absolute", "value": 4234248 }
              },
              {
                "name": "_strcspn",
                "address": { "type": "absolute", "value": 4234432 }
              },
              {
                "name": "_strpbrk",
                "address": { "type": "absolute", "value": 4234656 }
              }
            ]
          },
          "timestamp": "2026-01-11T15:36:28.703390"
        },
        "rules": {
          "contain loop": {
            "meta": {
              "lib": true,
              "mbc": [],
              "maec": {},
              "name": "contain loop",
              "attack": [],
              "scopes": { "static": "function" },
              "authors": ["[email protected]"],
              "examples": ["08AC667C65D36D6542917655571E61C8:0x406EAA"],
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: contain loop\n    authors:\n      - [email protected]\n    lib: true\n    scopes:\n      static: function\n      dynamic: unsupported  # requires characteristic features\n    examples:\n      - 08AC667C65D36D6542917655571E61C8:0x406EAA\n  features:\n    - or:\n      - characteristic: loop\n      - characteristic: tight loop\n      - characteristic: recursive call\n",
            "matches": [
              [
                { "type": "absolute", "value": 4203960 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "loop"
                        }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4203960 }]
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "tight loop"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "recursive call"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4210287 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "loop"
                        }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4210287 }]
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "tight loop"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "recursive call"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4210325 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "loop"
                        }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4210325 }]
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "tight loop"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "type": "characteristic",
                          "characteristic": "recursive call"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "terminate process": {
            "meta": {
              "lib": false,
              "mbc": [
                {
                  "id": "C0018",
                  "parts": ["Process", "Terminate Process"],
                  "method": "",
                  "behavior": "Terminate Process",
                  "objective": "Process"
                }
              ],
              "maec": {},
              "name": "terminate process",
              "attack": [],
              "scopes": { "static": "function", "dynamic": "span of calls" },
              "authors": [
                "[email protected]",
                "[email protected]",
                "[email protected]"
              ],
              "examples": [
                "C91887D861D9BD4A5872249B641BC9F9:0x401A77",
                "9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307"
              ],
              "namespace": "host-interaction/process/terminate",
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: terminate process\n    namespace: host-interaction/process/terminate\n    authors:\n      - [email protected]\n      - [email protected]\n      - [email protected]\n    scopes:\n      static: function\n      dynamic: span of calls\n    mbc:\n      - Process::Terminate Process [C0018]\n    examples:\n      - C91887D861D9BD4A5872249B641BC9F9:0x401A77\n      - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307\n  features:\n    - or:\n      - api: System.Diagnostics.Process::Kill\n      - api: System.Diagnostics.Process::WaitForExit\n      - api: System.Diagnostics.Process::WaitForExitAsync\n      - api: System.Environment::Exit\n      - api: System.Windows.Forms.Application::Exit\n      - api: exit\n      - api: Exit\n      - api: RstrtMgr.RmShutdown\n      - and:\n        - os: linux\n        - api: exit_group\n      - and:\n        - optional:\n          - match: open process\n        - or:\n          - api: kernel32.TerminateProcess\n          - api: ntdll.NtTerminateProcess\n          - api: kernel32.ExitProcess\n          - api: ZwTerminateProcess\n",
            "matches": [
              [
                { "type": "absolute", "value": 4198584 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "System.Diagnostics.Process::Kill",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "System.Diagnostics.Process::WaitForExit",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "System.Diagnostics.Process::WaitForExitAsync",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "System.Environment::Exit",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "System.Windows.Forms.Application::Exit",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "exit", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "Exit", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "RmShutdown", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "and" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": { "os": "linux", "type": "os" }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": { "api": "exit_group", "type": "api" }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "and" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "statement",
                            "statement": { "type": "optional" }
                          },
                          "success": true,
                          "captures": {},
                          "children": [
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "match",
                                  "match": "open process"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            }
                          ],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "statement",
                            "statement": { "type": "or" }
                          },
                          "success": true,
                          "captures": {},
                          "children": [
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "TerminateProcess",
                                  "type": "api"
                                }
                              },
                              "success": true,
                              "captures": {},
                              "children": [],
                              "locations": [
                                { "type": "absolute", "value": 4199860 }
                              ]
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "NtTerminateProcess",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "ExitProcess",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "ZwTerminateProcess",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            }
                          ],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "set registry value": {
            "meta": {
              "lib": false,
              "mbc": [
                {
                  "id": "C0036.001",
                  "parts": ["Operating System", "Registry", "Set Registry Key"],
                  "method": "Set Registry Key",
                  "behavior": "Registry",
                  "objective": "Operating System"
                }
              ],
              "maec": {},
              "name": "set registry value",
              "attack": [],
              "scopes": { "static": "function", "dynamic": "call" },
              "authors": [
                "[email protected]",
                "[email protected]"
              ],
              "examples": [
                "BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0",
                "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E",
                "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E",
                "98c37c3c23bbfb362dac7754c6ba48e75cf24d73bc963a4cdfca557b9e016909:0x40294D"
              ],
              "namespace": "host-interaction/registry/create",
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: set registry value\n    namespace: host-interaction/registry/create\n    authors:\n      - [email protected]\n      - [email protected]\n    scopes:\n      static: function\n      dynamic: call\n    mbc:\n      - Operating System::Registry::Set Registry Key [C0036.001]\n    examples:\n      - BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0\n      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E\n      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E\n      - 98c37c3c23bbfb362dac7754c6ba48e75cf24d73bc963a4cdfca557b9e016909:0x40294D\n  features:\n    - or:\n      - and:\n        - optional:\n          - match: create or open registry key\n        - or:\n          - api: advapi32.RegSetValue\n          - api: advapi32.RegSetValueEx\n          - api: advapi32.RegSetKeyValue\n          - api: ZwSetValueKey\n          - api: NtSetValueKey\n          - api: RtlWriteRegistryValue\n          - api: SHSetValue\n          - api: SHRegSetPath\n          - api: SHRegSetValue\n          - api: SHRegSetUSValue\n          - api: SHRegWriteUSValue\n          - api: Microsoft.Win32.RegistryKey::SetValue\n          - api: Microsoft.Win32.Registry::SetValue\n      - and:\n        - match: host-interaction/process/create\n        - string: \"/add/i\"\n        - or:\n          - string: \"/reg(|.exe)/i\"\n          - string: \"/hklm/i\"\n          - string: \"/HKEY_LOCAL_MACHINE/i\"\n          - string: \"/hkcu/i\"\n          - string: \"/HKEY_CURRENT_USER/i\"\n",
            "matches": [
              [
                { "type": "absolute", "value": 4198400 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "and" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "type": "match",
                              "match": "host-interaction/process/create"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": { "type": "regex", "regex": "/add/i" }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "statement",
                            "statement": { "type": "or" }
                          },
                          "success": false,
                          "captures": {},
                          "children": [
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "regex",
                                  "regex": "/reg(|.exe)/i"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "regex",
                                  "regex": "/hklm/i"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "regex",
                                  "regex": "/HKEY_LOCAL_MACHINE/i"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "regex",
                                  "regex": "/hkcu/i"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "regex",
                                  "regex": "/HKEY_CURRENT_USER/i"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            }
                          ],
                          "locations": []
                        }
                      ],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "and" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "statement",
                            "statement": { "type": "optional" }
                          },
                          "success": true,
                          "captures": {},
                          "children": [
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "type": "match",
                                  "match": "create or open registry key"
                                }
                              },
                              "success": true,
                              "captures": {},
                              "children": [
                                {
                                  "node": { "type": null, "statement": null },
                                  "success": true,
                                  "captures": {},
                                  "children": [
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null,
                                    null
                                  ],
                                  "locations": []
                                }
                              ],
                              "locations": [
                                { "type": "absolute", "value": 4198400 }
                              ]
                            }
                          ],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "statement",
                            "statement": { "type": "or" }
                          },
                          "success": true,
                          "captures": {},
                          "children": [
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "RegSetValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "RegSetValueEx",
                                  "type": "api"
                                }
                              },
                              "success": true,
                              "captures": {},
                              "children": [],
                              "locations": [
                                { "type": "absolute", "value": 4198509 }
                              ]
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "RegSetKeyValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "ZwSetValueKey",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "NtSetValueKey",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "RtlWriteRegistryValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "SHSetValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "SHRegSetPath",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "SHRegSetValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "SHRegSetUSValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "SHRegWriteUSValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "Microsoft.Win32.RegistryKey::SetValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            },
                            {
                              "node": {
                                "type": "feature",
                                "feature": {
                                  "api": "Microsoft.Win32.Registry::SetValue",
                                  "type": "api"
                                }
                              },
                              "success": false,
                              "captures": {},
                              "children": [],
                              "locations": []
                            }
                          ],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "create or open file": {
            "meta": {
              "lib": true,
              "mbc": [
                {
                  "id": "C0016",
                  "parts": ["File System", "Create File"],
                  "method": "",
                  "behavior": "Create File",
                  "objective": "File System"
                }
              ],
              "maec": {},
              "name": "create or open file",
              "attack": [],
              "scopes": { "static": "instruction", "dynamic": "call" },
              "authors": ["[email protected]", "[email protected]"],
              "examples": ["B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E"],
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: create or open file\n    authors:\n      - [email protected]\n      - [email protected]\n    lib: true\n    scopes:\n      static: instruction\n      dynamic: call\n    mbc:\n      - File System::Create File [C0016]\n    examples:\n      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x401D7E\n  features:\n    - or:\n      - api: CreateFile\n      - api: CreateFileEx\n      - api: IoCreateFile\n      - api: IoCreateFileEx\n      - api: ZwOpenFile\n      - api: ZwCreateFile\n      - api: NtOpenFile\n      - api: NtCreateFile\n      - api: LZCreateFile\n      - api: LZOpenFile\n      - api: fopen\n      - api: fopen64\n      - api: fdopen\n      - api: freopen\n      - api: open\n      - api: openat\n",
            "matches": [
              [
                { "type": "absolute", "value": 4233447 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "CreateFile", "type": "api" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4233447 }]
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "CreateFileEx", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "IoCreateFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "IoCreateFileEx", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "ZwOpenFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "ZwCreateFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "NtOpenFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "NtCreateFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "LZCreateFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "LZOpenFile", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "fopen", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "fopen64", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "fdopen", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "freopen", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "open", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "openat", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "create or open registry key": {
            "meta": {
              "lib": true,
              "mbc": [
                {
                  "id": "C0036.004",
                  "parts": [
                    "Operating System",
                    "Registry",
                    "Create Registry Key"
                  ],
                  "method": "Create Registry Key",
                  "behavior": "Registry",
                  "objective": "Operating System"
                },
                {
                  "id": "C0036.003",
                  "parts": [
                    "Operating System",
                    "Registry",
                    "Open Registry Key"
                  ],
                  "method": "Open Registry Key",
                  "behavior": "Registry",
                  "objective": "Operating System"
                }
              ],
              "maec": {},
              "name": "create or open registry key",
              "attack": [],
              "scopes": { "static": "basic block", "dynamic": "call" },
              "authors": [
                "[email protected]",
                "[email protected]"
              ],
              "examples": [
                "Practical Malware Analysis Lab 03-02.dll_:0x10004706",
                "Practical Malware Analysis Lab 11-01.exe_:0x401000",
                "493167E85E45363D09495D0841C30648:0x404D60",
                "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2",
                "B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E",
                "692f7fd6d198e804d6af98eb9e390d61:0x6000003"
              ],
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: create or open registry key\n    authors:\n      - [email protected]\n      - [email protected]\n    lib: true\n    scopes:\n      static: basic block\n      dynamic: call\n    mbc:\n      - Operating System::Registry::Create Registry Key [C0036.004]\n      - Operating System::Registry::Open Registry Key [C0036.003]\n    examples:\n      - Practical Malware Analysis Lab 03-02.dll_:0x10004706\n      - Practical Malware Analysis Lab 11-01.exe_:0x401000\n      - 493167E85E45363D09495D0841C30648:0x404D60\n      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2\n      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E\n      - 692f7fd6d198e804d6af98eb9e390d61:0x6000003\n  features:\n    - or:\n      - api: advapi32.RegOpenKey\n      - api: advapi32.RegOpenKeyEx\n      - api: advapi32.RegCreateKey\n      - api: advapi32.RegCreateKeyEx\n      - api: advapi32.RegOpenCurrentUser\n      - api: advapi32.RegOpenKeyTransacted\n      - api: advapi32.RegOpenUserClassesRoot\n      - api: advapi32.RegCreateKeyTransacted\n      - api: ZwOpenKey\n      - api: ZwOpenKeyEx\n      - api: ZwCreateKey\n      - api: ZwOpenKeyTransacted\n      - api: ZwOpenKeyTransactedEx\n      - api: ZwCreateKeyTransacted\n      - api: NtOpenKey\n      - api: NtCreateKey\n      - api: SHRegOpenUSKey\n      - api: SHRegCreateUSKey\n      - api: RtlCreateRegistryKey\n      - api: Microsoft.Win32.RegistryKey::OpenSubKey\n      - api: Microsoft.Win32.RegistryKey::OpenBaseKey\n      - api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey\n      - api: Microsoft.Win32.RegistryKey::CreateSubKey\n",
            "matches": [
              [
                { "type": "absolute", "value": 4198400 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "RegOpenKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "RegOpenKeyEx", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "RegCreateKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "RegCreateKeyEx", "type": "api" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4198442 }]
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "RegOpenCurrentUser",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "RegOpenKeyTransacted",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "RegOpenUserClassesRoot",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "RegCreateKeyTransacted",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "ZwOpenKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "ZwOpenKeyEx", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "ZwCreateKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "ZwOpenKeyTransacted",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "ZwOpenKeyTransactedEx",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "ZwCreateKeyTransacted",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "NtOpenKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "NtCreateKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "SHRegOpenUSKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "SHRegCreateUSKey", "type": "api" }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "RtlCreateRegistryKey",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "Microsoft.Win32.RegistryKey::OpenSubKey",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "Microsoft.Win32.RegistryKey::OpenBaseKey",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "Microsoft.Win32.RegistryKey::OpenRemoteBaseKey",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    },
                    {
                      "node": {
                        "type": "feature",
                        "feature": {
                          "api": "Microsoft.Win32.RegistryKey::CreateSubKey",
                          "type": "api"
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "allocate thread local storage": {
            "meta": {
              "lib": false,
              "mbc": [
                {
                  "id": "C0040",
                  "parts": ["Process", "Allocate Thread Local Storage"],
                  "method": "",
                  "behavior": "Allocate Thread Local Storage",
                  "objective": "Process"
                }
              ],
              "maec": {},
              "name": "allocate thread local storage",
              "attack": [],
              "scopes": { "static": "function", "dynamic": "call" },
              "authors": ["[email protected]"],
              "examples": ["03B236B23B1EC37C663527C1F53AF3FE:0x18000ADF6"],
              "namespace": "host-interaction/thread/tls",
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: allocate thread local storage\n    namespace: host-interaction/thread/tls\n    authors:\n      - [email protected]\n    scopes:\n      static: function\n      dynamic: call\n    mbc:\n      - Process::Allocate Thread Local Storage [C0040]\n    examples:\n      - 03B236B23B1EC37C663527C1F53AF3FE:0x18000ADF6\n  features:\n    - or:\n      - api: kernel32.TlsAlloc\n",
            "matches": [
              [
                { "type": "absolute", "value": 4210372 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "api": "TlsAlloc", "type": "api" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "absolute", "value": 4210372 }]
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "link many functions at runtime": {
            "meta": {
              "lib": false,
              "mbc": [],
              "maec": {},
              "name": "link many functions at runtime",
              "attack": [
                {
                  "id": "T1129",
                  "parts": ["Execution", "Shared Modules"],
                  "tactic": "Execution",
                  "technique": "Shared Modules",
                  "subtechnique": ""
                }
              ],
              "scopes": { "static": "function", "dynamic": "span of calls" },
              "authors": ["[email protected]", "[email protected]"],
              "examples": ["b7b5e1253710d8927cbe07d52d2d2e10:0x401000"],
              "namespace": "linking/runtime-linking",
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: link many functions at runtime\n    namespace: linking/runtime-linking\n    authors:\n      - [email protected]\n      - [email protected]\n    scopes:\n      static: function\n      dynamic: span of calls\n    att&ck:\n      - Execution::Shared Modules [T1129]\n    examples:\n      - b7b5e1253710d8927cbe07d52d2d2e10:0x401000\n  features:\n    - or:\n      - count(match(link function at runtime on Windows)): 5 or more\n      - count(match(link function at runtime on Linux)): 5 or more\n",
            "matches": [
              [
                { "type": "absolute", "value": 4224259 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "or" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "statement",
                        "statement": {
                          "max": 9223372036854776000,
                          "min": 5,
                          "type": "range",
                          "child": {
                            "type": "match",
                            "match": "link function at runtime on Windows"
                          }
                        }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [
                        { "type": "absolute", "value": 4224392 },
                        { "type": "absolute", "value": 4224408 },
                        { "type": "absolute", "value": 4224376 },
                        { "type": "absolute", "value": 4224346 },
                        { "type": "absolute", "value": 4224428 }
                      ]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": {
                          "max": 9223372036854776000,
                          "min": 5,
                          "type": "range",
                          "child": {
                            "type": "match",
                            "match": "link function at runtime on Linux"
                          }
                        }
                      },
                      "success": false,
                      "captures": {},
                      "children": [],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          },
          "link function at runtime on Windows": {
            "meta": {
              "lib": false,
              "mbc": [],
              "maec": {},
              "name": "link function at runtime on Windows",
              "attack": [
                {
                  "id": "T1129",
                  "parts": ["Execution", "Shared Modules"],
                  "tactic": "Execution",
                  "technique": "Shared Modules",
                  "subtechnique": ""
                }
              ],
              "scopes": { "static": "instruction", "dynamic": "call" },
              "authors": ["[email protected]", "[email protected]"],
              "examples": [
                "9324D1A8AE37A36AE560C37448C9705A:0x404130",
                "Practical Malware Analysis Lab 01-04.exe_:0x401350"
              ],
              "namespace": "linking/runtime-linking",
              "references": [],
              "description": "",
              "is_subscope_rule": false
            },
            "source": "rule:\n  meta:\n    name: link function at runtime on Windows\n    namespace: linking/runtime-linking\n    authors:\n      - [email protected]\n      - [email protected]\n    scopes:\n      static: instruction\n      dynamic: call\n    att&ck:\n      - Execution::Shared Modules [T1129]\n    examples:\n      - 9324D1A8AE37A36AE560C37448C9705A:0x404130\n      - Practical Malware Analysis Lab 01-04.exe_:0x401350\n  features:\n    - and:\n      - os: windows\n      - or:\n        - api: kernel32.GetProcAddress\n        - api: ntdll.LdrGetProcedureAddress\n        - api: ntdll.LdrGetProcedureAddressEx\n        - api: ntdll.LdrGetProcedureAddressForCaller\n        - api: MmGetSystemRoutineAddress\n",
            "matches": [
              [
                { "type": "absolute", "value": 4224346 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "and" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "os": "windows", "type": "os" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "no address" }]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "or" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "GetProcAddress",
                              "type": "api"
                            }
                          },
                          "success": true,
                          "captures": {},
                          "children": [],
                          "locations": [
                            { "type": "absolute", "value": 4224346 }
                          ]
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressEx",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressForCaller",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "MmGetSystemRoutineAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4224376 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "and" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "os": "windows", "type": "os" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "no address" }]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "or" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "GetProcAddress",
                              "type": "api"
                            }
                          },
                          "success": true,
                          "captures": {},
                          "children": [],
                          "locations": [
                            { "type": "absolute", "value": 4224376 }
                          ]
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressEx",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressForCaller",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "MmGetSystemRoutineAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4224392 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "and" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "os": "windows", "type": "os" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "no address" }]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "or" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "GetProcAddress",
                              "type": "api"
                            }
                          },
                          "success": true,
                          "captures": {},
                          "children": [],
                          "locations": [
                            { "type": "absolute", "value": 4224392 }
                          ]
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressEx",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressForCaller",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "MmGetSystemRoutineAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4224408 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "and" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "os": "windows", "type": "os" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "no address" }]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "or" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "GetProcAddress",
                              "type": "api"
                            }
                          },
                          "success": true,
                          "captures": {},
                          "children": [],
                          "locations": [
                            { "type": "absolute", "value": 4224408 }
                          ]
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressEx",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressForCaller",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "MmGetSystemRoutineAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ],
              [
                { "type": "absolute", "value": 4224428 },
                {
                  "node": {
                    "type": "statement",
                    "statement": { "type": "and" }
                  },
                  "success": true,
                  "captures": {},
                  "children": [
                    {
                      "node": {
                        "type": "feature",
                        "feature": { "os": "windows", "type": "os" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [],
                      "locations": [{ "type": "no address" }]
                    },
                    {
                      "node": {
                        "type": "statement",
                        "statement": { "type": "or" }
                      },
                      "success": true,
                      "captures": {},
                      "children": [
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "GetProcAddress",
                              "type": "api"
                            }
                          },
                          "success": true,
                          "captures": {},
                          "children": [],
                          "locations": [
                            { "type": "absolute", "value": 4224428 }
                          ]
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressEx",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "LdrGetProcedureAddressForCaller",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        },
                        {
                          "node": {
                            "type": "feature",
                            "feature": {
                              "api": "MmGetSystemRoutineAddress",
                              "type": "api"
                            }
                          },
                          "success": false,
                          "captures": {},
                          "children": [],
                          "locations": []
                        }
                      ],
                      "locations": []
                    }
                  ],
                  "locations": []
                }
              ]
            ]
          }
        },
        "rules_version": "v9.3.1",
        "command_executed": [
          "/usr/local/bin/capa",
          "--quiet",
          "--json",
          "-r",
          "/opt/deploy/files_required/capa/capa-rules",
          "-s",
          "/opt/deploy/files_required/capa/sigs",
          "/opt/deploy/files_required/3a4ecbcf3309ddd33fcb63bd1c343f33"
        ]
      },
      "errors": [],
      "start_time": "2026-01-11T15:36:14.229731Z",
      "data_model": null,
      "description": "capa detects capabilities in executable files"
    }
  ],
  "connector_reports": [],
  "pivot_reports": [],
  "visualizer_reports": [],
  "analyzable_id": 2,
  "received_request_time": "2026-01-11T15:36:13.899668Z",
  "finished_analysis_time": "2026-01-11T15:36:30.865909Z",
  "process_time": 16.97,
  "warnings": [],
  "errors": []
}

@AnshSinghal AnshSinghal changed the base branch from master to develop January 11, 2026 08:15
mlodic
mlodic reviewed Jan 11, 2026
View reviewed changes
Copy link
Member

@mlodic mlodic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I already took a quick look, the change is fine, just fix the linters and publish a successfull CAPA analysis execution (screenhost + JSON dump) and I guess we are gtg, thanks

@AnshSinghal
Copy link
Contributor Author

AnshSinghal commented Jan 11, 2026

Sure. I will do the same.

@AnshSinghal
Copy link
Contributor Author

AnshSinghal commented Jan 11, 2026

@mlodic please merge

@mlodic mlodic linked an issue Jan 12, 2026 that may be closed by this pull request
Capa errors #3157
Open
@mlodic mlodic merged commit 251a476 into intelowlproject:develop Jan 12, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlodic mlodic mlodic left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Capa errors

2 participants

@AnshSinghal @mlodic