

Reads information about supported languagesĪdversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.Ĭalls an API's typically used for searching a directory for a files

Installs hooks/patches the running processĪdversaries may log user keystrokes to intercept credentials as the user types them.Ĭalls an API typically used for keyloggingĪdversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.Ĭalls an API typically used to retrieve local languageĪdversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Tries to sleep for a long time (more than two minutes)Īdversaries may perform software packing or virtual machine software protection to conceal their code.Īdversaries may delete files left behind by the actions of their intrusion activity.Īdversaries may hook into Windows application programming interface (API) functions to collect user credentials. Adversaries may execute malicious payloads via loading shared modules.Īdversaries may interact with the native OS application programming interface (API) to execute behaviors.Ĭalls an API typically used to load a resource in memoryĪdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.Ĭontains ability to load content from resourceĪdversaries may employ various means to detect and avoid debuggers.Ĭreates guarded memory regions (anti-debugging trick to avoid memory dumping)Īdversaries may employ various time-based methods to detect and avoid virtualization and analysis environments.
