AbnormalNetworkActivity

The file implements a non-standard method of networking. Malware does this to avoid detection of more common networking approaches.

BrowserPluginString

The file has the capability to enumerate or install browser plugins.

ContainsBrowserString

The file contains evidence of attempting to create a custom UserAgent string. Malware frequently uses common UserAgent strings to avoid detection in outgoing requests.

DownloadFileImports

The file imports functions that can be used to download files to the system. Malware uses this as both a way to further stage an attack and to exfiltrate data via the outbound URL.

FirewallModifyImports

The file imports functions used to modify the local Windows firewall. Malware uses this to open holes and avoid detection.

HTTPCustomHeaders

The file contains evidence of the creation of other custom HTTP headers. Malware does this to facilitate interactions with command-and-control infrastructures and to avoid detection.

IRCCommands

The file contains evidence of interaction with an IRC server. Malware commonly uses IRC to facilitate a command-and-control infrastructure.

MemoryExfiltrationImports

The file imports functions that can be used to read memory from a running process. Malware uses this to determine proper places to insert itself, or to extract useful information from the memory of a running process, such as passwords, credit cards, or other sensitive information.

NetworkOutboundImports

The file imports functions that can be used to send data out to the network or the general Internet. Malware uses this as a method for exfiltration of data or as a method for command and control.

PipeUsage

The file imports functions that allow the manipulation of named pipes. Malware uses this as a method of communication and of data exfiltration.

RPCUsage

The file imports functions that allow it to interact with Remote Procedure Call (RPC) infrastructure. Malware uses this to spread, or to send data to remote systems for exfiltration.