| ID | C0064 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.1 |
| Created | 4 December 2020 |
| Last Modified | 30 April 2024 |
Malware enumerates threads.
| Tool: capa | Mapping | APIs |
|---|---|---|
| enumerate threads | Enumerate Threads (C0064) | kernel32.Thread32First, kernel32.Thread32Next, kernel32.CreateToolhelp32Snapshot |
Process::Enumerate Threads
SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641 Location: 0x180003675lea rdx, [rsp + 0x48] ; pointer to THREAD32ENTRY struct mov rcx, r15 ; handle to snapshot of system processes call qword ptr [->KERNEL32.DLL::Thread32First] ; Windows API call to retrieve information about the first thread in a snapshot lea rdx, [rsp + 0x48] mov rcx, r15 call qword ptr [->KERNEL32.DLL::Thread32Next] ; takes the same arguments as Thread32First and gets the next thread from the snapshot