Contents x
- Getting Started
- Sensors 3 2
- Adapters 3 1
- Adapter Examples
- Adapter Types 3
- Google Workspace
- Azure Logs
- 1Password
- Atlassian
- AWS CloudTrail
- AWS GuardDuty
- Azure Event Hub
- Canarytokens
- Cato
- CrowdStrike Falcon Cloud New
- Duo
- EVTX
- File
- Google Cloud Pubsub
- Google Cloud Storage
- HubSpot
- IIS Logs
- IMAP
- IT Glue
- JSON
- Kubernetes Pods Logs
- Mac Unified Logging
- Microsoft Defender
- Microsoft Entra ID
- Microsoft 365
- Okta
- PandaDoc New
- S3
- Slack Audit Logs
- Sophos
- SQS
- Stdin
- Syslog
- Sublime Security
- Tailscale
- VMWare Carbon Black
- Windows Event Log
- Zendesk New
- Adapter Deployment
- Adapters as a Service
- Adapter Tutorials
- Adapter Usage Updated
- Template Strings and Transforms
- Artifacts
- Endpoint Agent 1
- Hostname Resolution
- Endpoint Agent Commands 1
- Endpoint Agent Installation
- Endpoint Agent Uninstallation
- Endpoint Agent Versioning and Upgrades
- Payloads
- Sleeper Deployment
- Tutorials
- Installation Keys
- Sensor Tags
- Sensor Connectivity
- Reference
- Adapters 3 1
- Query Console 1
- Detection and Response
- Events Updated
- Platform Management 1
- Outputs
- Add-Ons 1 2
- FAQ 1 1
- Release Notes Updated
- Labs New
Hybrid Analysis
- Updated on 05 Oct 2024
- 112 Minutes to read
- Contributors
Article summary
Did you find this summary helpful?
Thank you for your feedback
Hybrid Analysis, aka Falcon Sandbox, is a powerful, free malware analysis service for the community that detects and analyzes unknown threats. Hybrid Analysis has its own unique approach, and offers both public-facing and private team-based sandboxing capabilities.
LimaCharlie integrates with the following Hybrid Analysis API calls:
Detection & Response Rules
Overview
The Search API accepts a SHA256 value, and provides an extensive overview of a hash (if previously observed by the platform).
D&R Rule:
The following D&R rule
event: NEW_PROCESS
op: lookup
path: event/HASH
resource: lcr://api/hybrid-analysis-overviewJSON
Response Data:
{
"result": {
"analysis_start_time": "2023-07-17T18:31:04+00:00",
"architecture": "WINDOWS",
"children_in_progress": 0,
"children_in_queue": 0,
"last_file_name": "cmd.exe",
"last_multi_scan": "2023-07-17T18:31:09+00:00",
"multiscan_result": 0,
"other_file_name": [
"Utilman.exe",
"file",
"kiss.exe",
"osk.exe",
"sethc.exe",
"utilman.exe"
],
"related_children_hashes": [],
"related_parent_hashes": [
"c502bd80423e10dcc4b59fe4b523acb5ce0bd07748f73c7bdc6c797883b8a417"
],
"related_reports": [
{
"environment_id": 100,
"error_origin": null,
"error_type": null,
"job_id": "627e3011d695730f2c3ad419",
"sha256": "c502bd80423e10dcc4b59fe4b523acb5ce0bd07748f73c7bdc6c797883b8a417",
"state": "SUCCESS",
"verdict": "no verdict"
}
],
"reports": [
"58593319aac2edc56d351531",
"5a34f2a27ca3e13531789a95",
"5f196598eac13102deff3d42",
"64b588e7e14d64e6a60b2130",
"5965d8027ca3e10ec737634f",
"60251a499b1b3016bb674fb4",
"637f3600a3d94f1ecc7c1800"
],
"scanners": [
{
"anti_virus_results": [],
"error_message": null,
"name": "CrowdStrike Falcon Static Analysis (ML)",
"percent": 0,
"positives": null,
"progress": 100,
"status": "clean",
"total": null
},
{
"anti_virus_results": [],
"error_message": null,
"name": "Metadefender",
"percent": 0,
"positives": 0,
"progress": 100,
"status": "clean",
"total": 27
},
{
"anti_virus_results": [],
"error_message": null,
"name": "VirusTotal",
"percent": 0,
"positives": 0,
"progress": 100,
"status": "clean",
"total": 75
}
],
"scanners_v2": {
"bfore_ai": null,
"clean_dns": null,
"crowdstrike_ml": {
"anti_virus_results": [],
"error_message": null,
"name": "CrowdStrike Falcon Static Analysis (ML)",
"percent": 0,
"progress": 100,
"status": "clean"
},
"metadefender": {
"anti_virus_results": [],
"error_message": null,
"name": "Metadefender",
"percent": 0,
"positives": 0,
"progress": 100,
"status": "clean",
"total": 27
},
"scam_adviser": null,
"urlscan_io": null,
"virustotal": {
"error_message": null,
"name": "VirusTotal",
"percent": 0,
"positives": 0,
"progress": 100,
"status": "clean",
"total": 75
}
},
"sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"size": 232960,
"submit_context": [],
"tags": [],
"threat_score": null,
"type": "PE32+ executable (console) x86-64, for MS Windows",
"type_short": [
"peexe",
"64bits",
"executable"
],
"url_analysis": false,
"verdict": "no specific threat",
"vx_family": null,
"whitelisted": false
}
}JSON
Search
The Search lookup provides a basic lookup of a hash value. This look accepts one of the following values:
MD5
SHA1
SHA256
D&R Rule:
event: NEW_PROCESS
op: lookup
path: event/HASH
resource: lcr://api/hybrid-analysis-searchJSON
Response Data:
[
{
"classification_tags": [],
"tags": [],
"submissions": [
{
"submission_id": "64b588e7e14d64e6a60b2131",
"filename": "cmd.exe",
"url": null,
"created_at": "2023-07-17T18:31:03+00:00"
}
],
"machine_learning_models": [],
"crowdstrike_ai": {
"executable_process_memory_analysis": [],
"analysis_related_urls": []
},
"job_id": "64b588e7e14d64e6a60b2130",
"environment_id": 160,
"environment_description": "Windows 10 64 bit",
"size": 232960,
"type": "PE32+ executable (console) x86-64, for MS Windows",
"type_short": [
"peexe",
"64bits",
"executable"
],
"target_url": null,
"state": "SUCCESS",
"error_type": null,
"error_origin": null,
"submit_name": "cmd.exe",
"md5": "f4f684066175b77e0c3a000549d2922c",
"sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
"sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
"ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
"imphash": "3062ed732d4b25d1c64f084dac97d37a",
"entrypoint": "0x140015190",
"entrypoint_section": ".text",
"image_base": "0x140000000",
"subsystem": "Windows Cui",
"image_file_characteristics": [
"EXECUTABLE_IMAGE",
"LARGE_ADDRESS_AWARE"
],
"dll_characteristics": [
"GUARD_CF",
"TERMINAL_SERVER_AWARE",
"DYNAMIC_BASE",
"NX_COMPAT",
"HIGH_ENTROPY_VA"
],
"major_os_version": 10,
"minor_os_version": 0,
"av_detect": 0,
"vx_family": null,
"url_analysis": false,
"analysis_start_time": "2023-07-17T18:31:04+00:00",
"threat_score": null,
"interesting": false,
"threat_level": 0,
"verdict": "no specific threat",
"certificates": [],
"is_certificates_valid": false,
"certificates_validation_message": "No signature was present in the subject. (0x800b0100)",
"domains": [],
"compromised_hosts": [],
"hosts": [],
"total_network_connections": 0,
"total_processes": 1,
"total_signatures": 99,
"extracted_files": [],
"file_metadata": null,
"processes": [],
"mitre_attcks": [
{
"tactic": "Execution",
"technique": "Shared Modules",
"attck_id": "T1129",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1129",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 3,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Execution",
"technique": "Native API",
"attck_id": "T1106",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 2,
"suspicious_identifiers": [],
"informative_identifiers_count": 10,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Execution",
"technique": "Windows Command Shell",
"attck_id": "T1059.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1059/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Command and Scripting Interpreter",
"attck_id": "T1059",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1059"
}
},
{
"tactic": "Persistence",
"technique": "Windows Service",
"attck_id": "T1543.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": {
"technique": "Create or Modify System Process",
"attck_id": "T1543",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
}
},
{
"tactic": "Persistence",
"technique": "Create or Modify System Process",
"attck_id": "T1543",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Persistence",
"technique": "Registry Run Keys / Startup Folder",
"attck_id": "T1547.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Boot or Logon Autostart Execution",
"attck_id": "T1547",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1547"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Windows Service",
"attck_id": "T1543.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": {
"technique": "Create or Modify System Process",
"attck_id": "T1543",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Token Impersonation/Theft",
"attck_id": "T1134.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 3,
"informative_identifiers": [],
"parent": {
"technique": "Access Token Manipulation",
"attck_id": "T1134",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Create or Modify System Process",
"attck_id": "T1543",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Privilege Escalation",
"technique": "Create Process with Token",
"attck_id": "T1134.002",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Access Token Manipulation",
"attck_id": "T1134",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Dynamic-link Library Injection",
"attck_id": "T1055.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Thread Execution Hijacking",
"attck_id": "T1055.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Privilege Escalation",
"technique": "Registry Run Keys / Startup Folder",
"attck_id": "T1547.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Boot or Logon Autostart Execution",
"attck_id": "T1547",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1547"
}
},
{
"tactic": "Privilege Escalation",
"technique": "Extra Window Memory Injection",
"attck_id": "T1055.011",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/011",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Defense Evasion",
"technique": "Obfuscated Files or Information",
"attck_id": "T1027",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "Match Legitimate Name or Location",
"attck_id": "T1036.005",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1036/005",
"malicious_identifiers_count": 1,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Masquerading",
"attck_id": "T1036",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1036"
}
},
{
"tactic": "Defense Evasion",
"technique": "Debugger Evasion",
"attck_id": "T1622",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1622",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "File and Directory Permissions Modification",
"attck_id": "T1222",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1222",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "Token Impersonation/Theft",
"attck_id": "T1134.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 3,
"informative_identifiers": [],
"parent": {
"technique": "Access Token Manipulation",
"attck_id": "T1134",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
}
},
{
"tactic": "Defense Evasion",
"technique": "Timestomp",
"attck_id": "T1070.006",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": {
"technique": "Indicator Removal",
"attck_id": "T1070",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070"
}
},
{
"tactic": "Defense Evasion",
"technique": "Modify Registry",
"attck_id": "T1112",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1112",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 4,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "Disable or Modify Tools",
"attck_id": "T1562.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1562/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Impair Defenses",
"attck_id": "T1562",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1562"
}
},
{
"tactic": "Defense Evasion",
"technique": "Create Process with Token",
"attck_id": "T1134.002",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Access Token Manipulation",
"attck_id": "T1134",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
}
},
{
"tactic": "Defense Evasion",
"technique": "Dynamic-link Library Injection",
"attck_id": "T1055.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Defense Evasion",
"technique": "Thread Execution Hijacking",
"attck_id": "T1055.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Defense Evasion",
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "File Deletion",
"attck_id": "T1070.004",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070/004",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Indicator Removal",
"attck_id": "T1070",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070"
}
},
{
"tactic": "Defense Evasion",
"technique": "Direct Volume Access",
"attck_id": "T1006",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1006",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Defense Evasion",
"technique": "Time Based Evasion",
"attck_id": "T1497.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": {
"technique": "Virtualization/Sandbox Evasion",
"attck_id": "T1497",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497"
}
},
{
"tactic": "Defense Evasion",
"technique": "Software Packing",
"attck_id": "T1027.002",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 3,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Obfuscated Files or Information",
"attck_id": "T1027",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
}
},
{
"tactic": "Defense Evasion",
"technique": "Extra Window Memory Injection",
"attck_id": "T1055.011",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/011",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Process Injection",
"attck_id": "T1055",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
}
},
{
"tactic": "Credential Access",
"technique": "Credential API Hooking",
"attck_id": "T1056.004",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Input Capture",
"attck_id": "T1056",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
}
},
{
"tactic": "Discovery",
"technique": "File and Directory Discovery",
"attck_id": "T1083",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 7,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "Process Discovery",
"attck_id": "T1057",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1057",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 4,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "Query Registry",
"attck_id": "T1012",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1012",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 4,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Service Discovery",
"attck_id": "T1007",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1007",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Information Discovery",
"attck_id": "T1082",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 9,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Language Discovery",
"attck_id": "T1614.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1614/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "System Location Discovery",
"attck_id": "T1614",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1614"
}
},
{
"tactic": "Discovery",
"technique": "Debugger Evasion",
"attck_id": "T1622",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1622",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Owner/User Discovery",
"attck_id": "T1033",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1033",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Network Connections Discovery",
"attck_id": "T1049",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1049",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Network Configuration Discovery",
"attck_id": "T1016",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1016",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "Network Share Discovery",
"attck_id": "T1135",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1135",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Location Discovery",
"attck_id": "T1614",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1614",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Time Discovery",
"attck_id": "T1124",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1124",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "Time Based Evasion",
"attck_id": "T1497.003",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 2,
"informative_identifiers": [],
"parent": {
"technique": "Virtualization/Sandbox Evasion",
"attck_id": "T1497",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497"
}
},
{
"tactic": "Lateral Movement",
"technique": "Lateral Tool Transfer",
"attck_id": "T1570",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1570",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Collection",
"technique": "Credential API Hooking",
"attck_id": "T1056.004",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 1,
"suspicious_identifiers": [],
"informative_identifiers_count": 0,
"informative_identifiers": [],
"parent": {
"technique": "Input Capture",
"attck_id": "T1056",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
}
},
{
"tactic": "Collection",
"technique": "Local Data Staging",
"attck_id": "T1074.001",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1074/001",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": {
"technique": "Data Staged",
"attck_id": "T1074",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1074"
}
},
{
"tactic": "Command and Control",
"technique": "Application Layer Protocol",
"attck_id": "T1071",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1071",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Command and Control",
"technique": "Ingress Tool Transfer",
"attck_id": "T1105",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1105",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Exfiltration",
"technique": "Scheduled Transfer",
"attck_id": "T1029",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1029",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Impact",
"technique": "Service Stop",
"attck_id": "T1489",
"attck_id_wiki": "https://attack.mitre.org/techniques/T1489",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
}
],
"network_mode": "default",
"signatures": [
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "api-7",
"type": 6,
"relevance": 1,
"name": "Loads modules at runtime",
"description": "\"cmd.exe\" loaded module \"KERNEL32\" at base e8360000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-STRING-L1-1-0\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-DATETIME-L1-1-1\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-LOCALIZATION-OBSOLETE-L1-2-0\" at base e5170000\n \"cmd.exe\" loaded module \"%WINDIR%\\SYSTEM32\\IMM32.DLL\" at base e5be0000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-SYNCH-L1-2-0\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-FIBERS-L1-1-1\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-LOCALIZATION-L1-2-1\" at base e5170000\n \"cmd.exe\" loaded module \"%WINDIR%\\TEMP\\VXOLE64.DLL\" at base d3ef0000\n \"cmd.exe\" loaded module \"KERNEL32.DLL\" at base e8360000",
"origin": "API Call",
"attck_id": "T1129",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "api-175",
"type": 6,
"relevance": 1,
"name": "Calls an API typically used to load libraries",
"description": "\"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-synch-l1-2-0 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-fibers-l1-1-1 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-localization-l1-2-1 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter kernel32 (UID: 00000000-00004716)",
"origin": "API Call",
"attck_id": "T1129",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "api-176",
"type": 6,
"relevance": 1,
"name": "Calls an API typically used to retrieve function addresses",
"description": "\"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeCriticalSectionEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsAlloc (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsSetValue (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsGetValue (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter LCMapStringEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsFree (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitOnceExecuteOnce (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateEventExW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSemaphoreW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSemaphoreExW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WaitForThreadpoolTimerCallbacks (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlushProcessWriteBuffers (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FreeLibraryWhenCallbackReturns (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetCurrentProcessorNumber (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSymbolicLinkW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetCurrentPackageId (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetTickCount64 (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetFileInformationByHandleEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetFileInformationByHandle (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetSystemTimePreciseAsFileTime (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WakeConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WakeAllConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SleepConditionVariableCS (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeSRWLock (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter AcquireSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter TryAcquireSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter ReleaseSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SleepConditionVariableSRW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SubmitThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CompareStringEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetLocaleInfoEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter AreFileApisANSI (UID: 00000000-00004716)",
"origin": "API Call",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "module-10",
"type": 10,
"relevance": 0,
"name": "Loads the RPC (Remote Procedure Call) module DLL",
"description": "\"cmd.exe\" loaded module \"%WINDIR%\\System32\\rpcrt4.dll\" at E8420000",
"origin": "Loaded Module",
"attck_id": "T1129",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "module-9",
"type": 10,
"relevance": 0,
"name": "Loads the Bcrypt module DLL",
"description": "\"cmd.exe\" loaded module \"%WINDIR%\\System32\\bcryptprimitives.dll\" at E55D0000",
"origin": "Loaded Module",
"attck_id": "T1027",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "registry-25",
"type": 3,
"relevance": 3,
"name": "Reads information about supported languages",
"description": "\"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE\"; Key: \"EN-US\")\n \"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE\"; Key: \"EN-US\")\n \"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE\"; Key: \"00000409\")",
"origin": "Registry Access",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-101",
"type": 2,
"relevance": 1,
"name": "Contains ability to execute Windows APIs",
"description": "Found reference to API (Indicator: \"SetConsoleInputExeNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"IsDebuggerPresent\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CopyFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetThreadUILanguage\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlCreateUnicodeStringFromAsciiz\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlNtStatusToDosError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtSetInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFreeUnicodeString\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlDosPathNameToRelativeNtPathName_U_WithStatus\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtSetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlReleaseRelativeName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryVolumeInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFindLeastSignificantBit\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlDosPathNameToNtPathName_U\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtFsControlFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFreeHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlCaptureContext\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlLookupFunctionEntry\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlVirtualUnwind\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CopyFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetThreadLocale\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindFirstFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleScreenBufferInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFullPathNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindNextFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleOutputCP\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetStdHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCPInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFilePointer\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindClose\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MultiByteToWideChar\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FillConsoleOutputCharacterW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadConsoleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CloseHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReleaseSRWLockShared\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FlushConsoleInputBuffer\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WriteConsoleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetProcAddress\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"AcquireSRWLockShared\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetProcessHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetModuleHandleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WideCharToMultiByte\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileType\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleCursorPosition\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RevertToSelf\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualQuery\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLocaleInfoW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetUserDefaultLCID\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FileTimeToSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FileTimeToLocalFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetTimeFormatW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SystemTimeToFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDateFormatW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetNumaHighestNodeNumber\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCommandLineW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEnvironmentVariableW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetEnvironmentVariableW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FreeEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetStartupInfoW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegQueryValueExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NeedCurrentDirectoryForExePathW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegDeleteValueW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"InitializeProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateProcessAsUserW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegOpenKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetErrorMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleTitleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileAttributesW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegSetValueExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegEnumKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"UpdateProcThreadAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegCreateKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeleteProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadProcessMemory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateProcessW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegDeleteKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegCloseKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LoadLibraryExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MoveFileWithProgressW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LocalFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MoveFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleTitleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVolumeInformationW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SearchPathW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WriteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GlobalAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GlobalFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFilePointerEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleCtrlHandler\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"EnterCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"TryAcquireSRWLockExclusive\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ExpandEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetModuleFileNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LeaveCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"InitializeCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVersion\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReleaseSRWLockExclusive\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetWindowsDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileAttributesExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDriveTypeW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentThreadId\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapSetInformation\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapReAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DuplicateHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FlushFileBuffers\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetACP\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FormatMessageW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleTextAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ScrollConsoleScreenBufferW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FillConsoleOutputAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEndOfFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFileAttributesW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeleteFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"TerminateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WaitForSingleObject\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetCurrentDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetExitCodeProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileInformationByHandleEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RemoveDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CompareFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeviceIoControl\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileSecurityW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSecurityDescriptorOwner\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDiskFreeSpaceExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindFirstFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ResumeThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetThreadGroupAffinity\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetNumaNodeProcessorMaskEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetThreadLocale\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateHardLinkW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVolumePathNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateSymbolicLinkW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"Sleep\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetUnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"QueryPerformanceCounter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentProcessId\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSystemTimeAsFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"lstrcmpiW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"lstrcmpW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetProcessAffinityMask\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryInformationToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtClose\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DelayLoadFailureHook\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"Beep\"; Source: \"00000000-00004716.00000000.77972.48F50000.00000002.mdmp, 00000000-00004716.00000001.79890.48F50000.00000002.mdmp, 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleInputExeNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"IsDebuggerPresent\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CopyFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetThreadUILanguage\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlCreateUnicodeStringFromAsciiz\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlNtStatusToDosError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtSetInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFreeUnicodeString\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlDosPathNameToRelativeNtPathName_U_WithStatus\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtSetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlReleaseRelativeName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryVolumeInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFindLeastSignificantBit\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlDosPathNameToNtPathName_U\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtFsControlFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFreeHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlCaptureContext\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlLookupFunctionEntry\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlVirtualUnwind\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CopyFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetThreadLocale\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindFirstFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleScreenBufferInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFullPathNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindNextFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleOutputCP\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetStdHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCPInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFilePointer\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindClose\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MultiByteToWideChar\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FillConsoleOutputCharacterW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadConsoleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CloseHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReleaseSRWLockShared\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FlushConsoleInputBuffer\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WriteConsoleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetProcAddress\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"AcquireSRWLockShared\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetProcessHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetModuleHandleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WideCharToMultiByte\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileType\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleCursorPosition\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RevertToSelf\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualQuery\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLocaleInfoW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetUserDefaultLCID\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FileTimeToSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FileTimeToLocalFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetTimeFormatW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SystemTimeToFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDateFormatW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetNumaHighestNodeNumber\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCommandLineW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEnvironmentVariableW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetEnvironmentVariableW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FreeEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetStartupInfoW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegQueryValueExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NeedCurrentDirectoryForExePathW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegDeleteValueW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"InitializeProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateProcessAsUserW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegOpenKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetErrorMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleTitleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileAttributesW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegSetValueExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegEnumKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"UpdateProcThreadAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegCreateKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeleteProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadProcessMemory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateProcessW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegDeleteKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegCloseKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LoadLibraryExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MoveFileWithProgressW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LocalFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MoveFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleTitleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVolumeInformationW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SearchPathW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WriteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GlobalAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GlobalFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFilePointerEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleCtrlHandler\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"EnterCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"TryAcquireSRWLockExclusive\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ExpandEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetModuleFileNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LeaveCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"InitializeCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVersion\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReleaseSRWLockExclusive\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetWindowsDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileAttributesExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDriveTypeW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentThreadId\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapSetInformation\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapReAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DuplicateHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FlushFileBuffers\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetACP\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FormatMessageW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleTextAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ScrollConsoleScreenBufferW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FillConsoleOutputAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEndOfFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFileAttributesW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeleteFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"TerminateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WaitForSingleObject\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetCurrentDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetExitCodeProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileInformationByHandleEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RemoveDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CompareFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeviceIoControl\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileSecurityW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSecurityDescriptorOwner\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDiskFreeSpaceExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindFirstFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ResumeThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetThreadGroupAffinity\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetNumaNodeProcessorMaskEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetThreadLocale\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateHardLinkW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVolumePathNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateSymbolicLinkW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"Sleep\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"UnhandledExceptionFilter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetUnhandledExceptionFilter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"QueryPerformanceCounter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentProcessId\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSystemTimeAsFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetTickCount\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"lstrcmpiW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"lstrcmpW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetProcessAffinityMask\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryInformationToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtClose\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DelayLoadFailureHook\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-7",
"type": 2,
"relevance": 1,
"name": "Contains PDB pathways",
"description": "\"cmd.pdb\"",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-240",
"type": 2,
"relevance": 1,
"name": "Contains ability to execute an application (API string)",
"description": "Found reference to API \"ShellExecuteWorker\" (Indicator: \"ShellExecute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ShellExecuteWorker\" (Indicator: \"ShellExecute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-315",
"type": 2,
"relevance": 1,
"name": "Contains ability to create/open files (API string)",
"description": "Found reference to API \"NtOpenFile\" (Indicator: \"NtOpenFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateFileW\" (Indicator: \"CreateFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenFile\" (Indicator: \"NtOpenFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"CreateFileW\" (Indicator: \"CreateFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-220",
"type": 2,
"relevance": 1,
"name": "Contains ability to create/control drivers (API string)",
"description": "Found reference to API \"NtFsControlFile\" (Indicator: \"FsControlFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"DeviceIoControl\" (Indicator: \"DeviceIoControl\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtFsControlFile\" (Indicator: \"FsControlFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"DeviceIoControl\" (Indicator: \"DeviceIoControl\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1543.003",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-319",
"type": 2,
"relevance": 1,
"name": "Contains ability to set/get the last-error code for a calling thread (API string)",
"description": "Found reference to API \"GetLastError\" (Indicator: \"GetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetLastError\" (Indicator: \"SetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLastError\" (Indicator: \"GetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SetLastError\" (Indicator: \"SetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-272",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve/open a process (API string)",
"description": "Found reference to API \"GetProcessHeap\" (Indicator: \"GetProcessHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetProcessHeap\" (Indicator: \"GetProcessHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1057",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-206",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the command-line string for the current process (API string)",
"description": "Found reference to API \"GetCommandLineW\" (Indicator: \"GetCommandLine\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCommandLineW\" (Indicator: \"GetCommandLine\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1059.003",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1059/003"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-204",
"type": 2,
"relevance": 1,
"name": "Contains ability to create a new process (API string)",
"description": "Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateProcessW\" (Indicator: \"CreateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"CreateProcessW\" (Indicator: \"CreateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-307",
"type": 2,
"relevance": 1,
"name": "Contains ability to create/load registry keys (API string)",
"description": "Found reference to API \"RegCreateKeyExW\" (Indicator: \"RegCreateKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegCreateKeyExW\" (Indicator: \"RegCreateKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1112",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-345",
"type": 2,
"relevance": 1,
"name": "Contains ability to disable/close registry key (API string)",
"description": "Found reference to API \"RegCloseKey\" (Indicator: \"RegCloseKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegCloseKey\" (Indicator: \"RegCloseKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1112",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-322",
"type": 2,
"relevance": 1,
"name": "Contains ability to move file or directory (API string)",
"description": "Found reference to API \"MoveFileWithProgressW\" (Indicator: \"MoveFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"MoveFileExW\" (Indicator: \"MoveFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"MoveFileWithProgressW\" (Indicator: \"MoveFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"MoveFileExW\" (Indicator: \"MoveFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1570",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1570"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-161",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve/modify process thread (API string)",
"description": "Found reference to API \"OpenThread\" (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ResumeThread\" (Indicator: \"ResumeThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"OpenThread\" (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"ResumeThread\" (Indicator: \"ResumeThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-423",
"type": 2,
"relevance": 1,
"name": "Contains ability to create directories (API string)",
"description": "Found reference to API \"CreateDirectoryW\" (Indicator: \"CreateDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateDirectoryW\" (Indicator: \"CreateDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1074.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1074/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-120",
"type": 2,
"relevance": 1,
"name": "Contains registry location strings",
"description": "\"Software\\Microsoft\\Command Processor\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"Software\\Policies\\Microsoft\\Windows\\System\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"Software\\Classes\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Keyboard Layout\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\RegEdt32\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\CLOCK\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\EXTENSIONS\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\CHARMAP\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\NETWORK\\\\PERSISTENT CONNECTIONS\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TRUETYPE\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TWAIN\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS HELP\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Command Processor\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp\n \"Software\\Policies\\Microsoft\\Windows\\System\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp\n \"Software\\Classes\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp",
"origin": "File/Memory",
"attck_id": "T1012",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-157",
"type": 0,
"relevance": 0,
"name": "Matched Compiler/Packer signature (DIE)",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" was detected as \"Microsoft Visual C/C++\" and name: \"Compiler\"\n \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" was detected as \"Microsoft Linker\" and name: \"Linker\"",
"origin": "Static Parser",
"attck_id": "T1027",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-93",
"type": 0,
"relevance": 1,
"name": "PE file has a high image base",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has high imagebase \"0x140000000\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-154",
"type": 0,
"relevance": 0,
"name": "File contains dynamic base/NX flags",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has flags like IMAGE_DLLCHARACTERISTICS_GUARD_CF\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\n IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-96",
"type": 0,
"relevance": 0,
"name": "PE file entrypoint instructions",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" file has an entrypoint instructions - \"sub\trsp, 0x28,call\t0x1400156b4,add\trsp, 0x28,jmp\t0x140014fc0,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,nop\tword ptr [rax + rax],cmp\trcx, qword ptr [rip + 0x19e41],jne\t0x1400151d9,rol\trcx, 0x10,test\tcx, 0xffff,jne\t0x1400151d5,ret\t,ror\trcx, 0x10,jmp\t0x140015220,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,push\trbx,sub\trsp, 0x20,mov\trbx, rcx,xor\tecx, ecx,\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-80",
"type": 0,
"relevance": 1,
"name": "PE file contains executable sections",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an executable section named \".text\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-95",
"type": 0,
"relevance": 0,
"name": "PE file contains writable sections",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an writable section named \".data\"\n \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an writable section named \".didat\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "static-146",
"type": 0,
"relevance": 0,
"name": "PE file contains Debug data directory",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has Debug data directory \"IMAGE_DIRECTORY_ENTRY_DEBUG\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "stream-103",
"type": 1,
"relevance": 3,
"name": "Contains ability to delay the execution of current thread",
"description": "Sleep at 61526-1-0000000140015190",
"origin": "Hybrid Analysis Technology",
"attck_id": "T1497.003",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-625",
"type": 2,
"relevance": 1,
"name": "References Windows filepaths for DLLs (possible dropped files)",
"description": "Observed system executable string:\"C:\\windows\\temp\\VxSSL64.dll\" [Source: 00000000-00004716.00000000.77972.67BF0000.00000020.mdmp\n 00000000-00004716.00000001.79890.67BF0000.00000020.mdmp\n 00000000-00004716.00000002.81813.67BF0000.00000020.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\sxsoa.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\GdiPlus.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\comctl32.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\sxsoaps.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\comctl32.dll.mui\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\":\\WINDOWS\\SYSTEM32\\ntdll.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\KERNEL32.DLL\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\msvcrt.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\KERNELBASE.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\windows\\temp\\VxSSL64.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\WS2_32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\"C:\\windows\\temp\\VxOle64.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000000.77972.69E40000.00000020.mdmp\n 00000000-00004716.00000000.77972.69E70000.00000002.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69E40000.00000020.mdmp\n 00000000-00004716.00000001.79890.69E70000.00000002.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69E40000.00000020.mdmp\n 00000000-00004716.00000002.81813.69E70000.00000002.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\RPCRT4.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\SYSTEM32\\FLTLIB.DLL\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\SYSTEM32\\gdi32full.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ucrtbase.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\USER32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ADVAPI32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ole32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\GDI32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\gdi32full.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\combase.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\msvcp_win.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\sechost.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]",
"origin": "File/Memory",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Unusual Characteristics",
"identifier": "registry-26",
"type": 3,
"relevance": 2,
"name": "Reads the windows installation language",
"description": "\"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LANGUAGE GROUPS\"; Key: \"1\")",
"origin": "Registry Access",
"attck_id": "T1614.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1614/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "api-126",
"type": 6,
"relevance": 3,
"name": "Tries to access non-existent files (executable)",
"description": "\"cmd.exe\" trying to access non-existent file \"C:\\FLTLIB.DLL\"\n \"cmd.exe\" trying to access non-existent file \"C:\\NETMSG.DLL\"\n \"cmd.exe\" trying to access non-existent file \"C:\\netmsg.dll\"",
"origin": "API Call",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "api-263",
"type": 6,
"relevance": 1,
"name": "Touches files",
"description": "\"cmd.exe\" trying to touch file \"C:\\FLTLIB.DLL\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\fltLib.dll\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\KernelBase.dll\"\n \"cmd.exe\" trying to touch file \"C:\\windows\\temp\\VxOle64.dll\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\imm32.dll\"\n \"cmd.exe\" trying to touch file \"C:\\WINDOWS\\system32\\IMM32.DLL\"\n \"cmd.exe\" trying to touch file \"C:\\EN-US\\CMD.EXE.MUI\"\n \"cmd.exe\" trying to touch file \"C:\\EN\\CMD.EXE.MUI\"\n \"cmd.exe\" trying to touch file \"C:\\cmd.exe\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\oleaut32.dll\"",
"origin": "API Call",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "api-235",
"type": 6,
"relevance": 1,
"name": "Queries basic information of the specified process",
"description": "\"cmd.exe\" queries basic process information of the \"C:\\cmd.exe\" (UID: 4716)",
"origin": "API Call",
"attck_id": "T1057",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "registry-177",
"type": 3,
"relevance": 1,
"name": "Opens registry keys",
"description": "\"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\SEGMENT HEAP\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\CONHOST.EXE\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\BAM\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SRP\\GP\\DLL\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\FILESYSTEM\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\MUICACHED\\MACHINELANGUAGECONFIGURATION\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\MUI\\SETTINGS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\CONTROL PANEL\\DESKTOP\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\LANGUAGECONFIGURATION\"; Key: \"\"; Value: \"\")",
"origin": "Registry Access",
"attck_id": "T1012",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "registry-172",
"type": 3,
"relevance": 1,
"name": "Queries registry keys",
"description": "\"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"RESOURCEPOLICIES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CONHOST.EXE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"TRANSPARENTENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\FILESYSTEM\"; Key: \"LONGPATHSENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\"; Key: \"PREFERREDUILANGUAGES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\MUICACHED\"; Key: \"MACHINEPREFERREDUILANGUAGES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\SIDEBYSIDE\"; Key: \"PREFEREXTERNALMANIFEST\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"SAFEDLLSEARCHMODE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\\FIPSALGORITHMPOLICY\"; Key: \"ENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\"; Key: \"FIPSALGORITHMPOLICY\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\\FIPSALGORITHMPOLICY\"; Key: \"MDMENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"PAGEALLOCATORUSESYSTEMHEAP\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"PAGEALLOCATORSYSTEMHEAPISPRIVATE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"AGGRESSIVEMTATESTING\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_INITIALIZE\"; Key: \"DISABLEMETAFILES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\"; Key: \"ENABLEPERPROCESSSYSTEMDPI\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\COMPATIBILITY32\"; Key: \"CMD\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\CMF\\CONFIG\"; Key: \"SYSTEM\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS\"; Key: \"LOADAPPINIT_DLLS\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SYSTEM\"; Key: \"DISABLECMD\"; Value: \"\")",
"origin": "Registry Access",
"attck_id": "T1012",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "string-310",
"type": 2,
"relevance": 1,
"name": "Contains ability to load modules (API string)",
"description": "Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Installation/Persistence",
"identifier": "string-443",
"type": 2,
"relevance": 1,
"name": "Contains registry location which perform auto-execute functionality",
"description": "Found string \"Software\\Microsoft\\Command Processor\" (Indicator: \"software\\microsoft\\command processor\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found string \"Software\\Microsoft\\Command Processor\" (Indicator: \"software\\microsoft\\command processor\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1547.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-304",
"type": 2,
"relevance": 1,
"name": "Contains ability to modify registry key/value (API string)",
"description": "Found reference to API \"RegSetValueExW\" (Indicator: \"RegSetValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegSetValueExW\" (Indicator: \"RegSetValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1112",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-318",
"type": 2,
"relevance": 1,
"name": "Contains ability to load/free library (API string)",
"description": "Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1055.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-92",
"type": 2,
"relevance": 1,
"name": "Contains ability to inject code into another process (API string)",
"description": "Found reference to API \"VirtualFree\" (Indicator: \"VirtualFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"VirtualAlloc\" (Indicator: \"VirtualAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"VirtualFree\" (Indicator: \"VirtualFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"VirtualAlloc\" (Indicator: \"VirtualAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1055",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-409",
"type": 2,
"relevance": 1,
"name": "Contains ability to set file time (API string)",
"description": "Found reference to API \"SetFileTime\" (Indicator: \"SetFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetFileTime\" (Indicator: \"SetFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1070.006",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-226",
"type": 2,
"relevance": 1,
"name": "Contains ability to delay execution by waiting for signal/timeout (API string)",
"description": "Found reference to API \"WaitForSingleObject\" (Indicator: \"WaitForSingleObject\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WaitForSingleObject\" (Indicator: \"WaitForSingleObject\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "string-306",
"type": 2,
"relevance": 1,
"name": "Contains ability to impersonate access tokens (API string)",
"description": "Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1134.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Detection/Stealthyness",
"identifier": "memorydump-8",
"type": 20,
"relevance": 1,
"name": "Found PE header in memory",
"description": "Found PE header \"MZ\" - Source: \"00000000-00004716.00000000.77972.492E0000.00000002.mdmp\")\n Found PE header \"MZ\" - Source: \"00000000-00004716.00000001.79890.492E0000.00000002.mdmp\")\n Found PE header \"MZ\" - Source: \"00000000-00004716.00000002.81813.492E0000.00000002.mdmp\")",
"origin": "Memory Dumps",
"attck_id": "T1055",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Reverse Engineering",
"identifier": "string-183",
"type": 2,
"relevance": 1,
"name": "Contains ability to check debugger is running (API string)",
"description": "Found reference to API \"IsDebuggerPresent\" (Indicator: \"IsDebuggerPresent\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"QueryPerformanceCounter\" (Indicator: \"QueryPerformanceCounter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
"origin": "File/Memory",
"attck_id": "T1622",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1622"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Reverse Engineering",
"identifier": "string-148",
"type": 2,
"relevance": 1,
"name": "Contains ability to register a top-level exception handler (API string)",
"description": "Found reference to API \"UnhandledExceptionFilter\" (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetUnhandledExceptionFilter\" (Indicator: \"SetUnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetUnhandledExceptionFilter\" (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
"origin": "File/Memory",
"attck_id": "T1622",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1622"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "registry-78",
"type": 3,
"relevance": 1,
"name": "Contains ability to read software policies",
"description": "\"cmd.exe\" (Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"TRANSPARENTENABLED\")",
"origin": "Registry Access",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-222",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve network parameters of a computer (API string)",
"description": "Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1016",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1016"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-89",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve information about the current system (API string)",
"description": "Found reference to API \"RtlNtStatusToDosError\" (Indicator: \"RtlNtStatusToDosError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ExpandEnvironmentStringsW\" (Indicator: \"ExpandEnvironmentStrings\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RtlNtStatusToDosError\" (Indicator: \"RtlNtStatusToDosError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"ExpandEnvironmentStringsW\" (Indicator: \"ExpandEnvironmentStrings\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-162",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve volume information (API string)",
"description": "Found reference to API \"NtQueryVolumeInformationFile\" (Indicator: \"NtQueryVolumeInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVolumeInformationW\" (Indicator: \"GetVolumeInformation\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryVolumeInformationFile\" (Indicator: \"NtQueryVolumeInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetVolumeInformationW\" (Indicator: \"GetVolumeInformation\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-201",
"type": 2,
"relevance": 1,
"name": "Contains ability to query system locale (API string)",
"description": "Found reference to API \"GetLocaleInfoW\" (Indicator: \"GetLocaleInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetUserDefaultLCID\" (Indicator: \"GetUserDefaultLCID\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocaleInfoW\" (Indicator: \"GetLocaleInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetUserDefaultLCID\" (Indicator: \"GetUserDefaultLCID\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1614",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1614"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-249",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve file time (API string)",
"description": "Found reference to API \"FileTimeToSystemTime\" (Indicator: \"FileTimeToSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FileTimeToLocalFileTime\" (Indicator: \"FileTimeToLocalFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SystemTimeToFileTime\" (Indicator: \"SystemTimeToFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTimeAsFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FileTimeToSystemTime\" (Indicator: \"FileTimeToSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FileTimeToLocalFileTime\" (Indicator: \"FileTimeToLocalFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SystemTimeToFileTime\" (Indicator: \"SystemTimeToFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTimeAsFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1070.006",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-365",
"type": 2,
"relevance": 1,
"name": "Contains ability to perform scheduled transfer (API string)",
"description": "Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1029",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1029"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-247",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve machine time (API string)",
"description": "Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1124",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1124"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-167",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the contents of the STARTUPINFO structure (API string)",
"description": "Found reference to API \"GetStartupInfoW\" (Indicator: \"GetStartupInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
"origin": "File/Memory",
"attck_id": "T1543",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-171",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the OS information (API string)",
"description": "Found reference to API \"GetVersion\" (Indicator: \"GetVersion\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVersion\" (Indicator: \"GetVersion\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-312",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve path in which Windows is installed (API string)",
"description": "Found reference to API \"GetWindowsDirectoryW\" (Indicator: \"GetWindowsDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetWindowsDirectoryW\" (Indicator: \"GetWindowsDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-193",
"type": 2,
"relevance": 1,
"name": "Contains ability to query volume/memory size (API string)",
"description": "Found reference to API \"GetDiskFreeSpaceExW\" (Indicator: \"GetDiskFreeSpace\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetDiskFreeSpaceExW\" (Indicator: \"GetDiskFreeSpace\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "string-194",
"type": 2,
"relevance": 1,
"name": "Contains the ability to enumerate volumes (API string)",
"description": "Found reference to API \"GetVolumePathNameW\" (Indicator: \"GetVolumePathName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVolumePathNameW\" (Indicator: \"GetVolumePathName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1006",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1006"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "api-103",
"type": 6,
"relevance": 3,
"name": "Calls an API typically used for taking snapshot of the specified processes",
"description": "\"cmd.exe\" called \"CreateToolhelp32Snapshot\" with parameters {\"dwFlags\": \"4\"\n \"th32ProcessID\": \"0\"}",
"origin": "API Call",
"attck_id": "T1057",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-85",
"type": 2,
"relevance": 1,
"name": "Contains ability to enumerate process and/or its information (API string)",
"description": "Found reference to API \"NtQueryInformationProcess\" (Indicator: \"QueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetEnvironmentStringsW\" (Indicator: \"GetEnvironmentStrings\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentProcess\" (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentProcessId\" (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"QueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetEnvironmentStringsW\" (Indicator: \"GetEnvironmentStrings\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentProcess\" (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentProcessId\" (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1057",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-121",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve usernames and/or user information (API string)",
"description": "Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LookupAccountSidWStub\" (Indicator: \"LookupAccountSid\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"NtOpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationToken\" (Indicator: \"NtQueryInformationToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"NtOpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"LookupAccountSidWStub\" (Indicator: \"LookupAccountSid\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"NtOpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtQueryInformationToken\" (Indicator: \"NtQueryInformationToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"NtOpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1033",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1033"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-534",
"type": 2,
"relevance": 0,
"name": "Contains ability to read files (API string)",
"description": "Found reference to API \"ReadFile\" (Indicator: \"ReadFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ReadFile\" (Indicator: \"ReadFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-83",
"type": 2,
"relevance": 1,
"name": "Contains ability to enumerate files on disk (API string)",
"description": "Found reference to API \"FindFirstFileW\" (Indicator: \"FindFirstFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindNextFileW\" (Indicator: \"FindNextFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindFirstFileExW\" (Indicator: \"FindFirstFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindFirstFileW\" (Indicator: \"FindFirstFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FindNextFileW\" (Indicator: \"FindNextFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FindFirstFileExW\" (Indicator: \"FindFirstFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-317",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve address of exported function from a DLL (API string)",
"description": "Found reference to API \"GetProcAddress\" (Indicator: \"GetProcAddress\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetProcAddress\" (Indicator: \"GetProcAddress\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-207",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve file and directory information (API string)",
"description": "Found reference to API \"GetFileSize\" (Indicator: \"GetFileSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileAttributesW\" (Indicator: \"GetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileAttributesExW\" (Indicator: \"GetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentDirectoryW\" (Indicator: \"GetCurrentDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileInformationByHandleEx\" (Indicator: \"GetFileInformationByHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileSize\" (Indicator: \"GetFileSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileAttributesW\" (Indicator: \"GetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileAttributesExW\" (Indicator: \"GetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentDirectoryW\" (Indicator: \"GetCurrentDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileInformationByHandleEx\" (Indicator: \"GetFileInformationByHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-427",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve a module handle (API string)",
"description": "Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-107",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the host's architecture (API string)",
"description": "Found reference to API \"GetEnvironmentVariableW\" (Indicator: \"GetEnvironmentVariable\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetEnvironmentVariableW\" (Indicator: \"GetEnvironmentVariable\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-229",
"type": 2,
"relevance": 1,
"name": "Contains ability to query registry keys (API string)",
"description": "Found reference to API \"RegQueryValueExW\" (Indicator: \"RegQueryValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegOpenKeyExW\" (Indicator: \"RegOpenKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegEnumKeyExW\" (Indicator: \"RegEnumKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegQueryValueExW\" (Indicator: \"RegQueryValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegOpenKeyExW\" (Indicator: \"RegOpenKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegEnumKeyExW\" (Indicator: \"RegEnumKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1012",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-164",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the fully qualified path of module (API string)",
"description": "Found reference to API \"GetModuleFileNameW\" (Indicator: \"GetModuleFileName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleFileNameW\" (Indicator: \"GetModuleFileName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-80",
"type": 2,
"relevance": 1,
"name": "Contains ability to determine disk drive type (API string)",
"description": "Found reference to API \"GetDriveTypeW\" (Indicator: \"GetDriveType\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetDriveTypeW\" (Indicator: \"GetDriveType\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1082",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Spyware/Information Retrieval",
"identifier": "string-205",
"type": 2,
"relevance": 1,
"name": "Contains ability to retrieve the time elapsed since the system was started (API string)",
"description": "Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1497.003",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Network Related",
"identifier": "string-3",
"type": 2,
"relevance": 3,
"name": "Found potential URL in binary/memory",
"description": "Heuristic match: \"fD9.tH\"\n Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"\n Heuristic match: \"(s.IL\"",
"origin": "File/Memory",
"attck_id": "T1071",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1071"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Network Related",
"identifier": "string-257",
"type": 2,
"relevance": 1,
"name": "Contains ability to enumerate network resources (API string)",
"description": "Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetAddConnection2WStub\" (Indicator: \"NetAddConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"WNetAddConnection2WStub\" (Indicator: \"NetAddConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1049",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1049"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Network Related",
"identifier": "string-113",
"type": 2,
"relevance": 1,
"name": "Contains ability to provide information and utilities for managing network resources (API string)",
"description": "Found reference to API \"WNetCancelConnection2WStub\" (Indicator: \"WNetCancelConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
"origin": "File/Memory",
"attck_id": "T1135",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1135"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "registry-173",
"type": 3,
"relevance": 1,
"name": "Queries services related registry keys",
"description": "\"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CONHOST.EXE\"; Value: \"\")",
"origin": "Registry Access",
"attck_id": "T1007",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1007"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-426",
"type": 2,
"relevance": 1,
"name": "Contains ability to modify file attributes (API string)",
"description": "Found reference to API \"NtSetInformationFile\" (Indicator: \"SetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"NtSetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetFileAttributesW\" (Indicator: \"SetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"SetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"NtSetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SetFileAttributesW\" (Indicator: \"SetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1222",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1222"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-114",
"type": 2,
"relevance": 1,
"name": "Contains ability to obtains specified information about the security of a file or directory (API string)",
"description": "Found reference to API \"RevertToSelf\" (Indicator: \"RevertToSelf\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileSecurityW\" (Indicator: \"GetFileSecurityW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSecurityDescriptorOwner\" (Indicator: \"GetSecurityDescriptorOwner\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RevertToSelf\" (Indicator: \"RevertToSelf\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileSecurityW\" (Indicator: \"GetFileSecurityW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSecurityDescriptorOwner\" (Indicator: \"GetSecurityDescriptorOwner\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1134.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-230",
"type": 2,
"relevance": 1,
"name": "Contains ability to delete registry key/value (API string)",
"description": "Found reference to API \"RegDeleteValueW\" (Indicator: \"RegDeleteValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegDeleteKeyExW\" (Indicator: \"RegDeleteKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegDeleteValueW\" (Indicator: \"RegDeleteValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegDeleteKeyExW\" (Indicator: \"RegDeleteKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1112",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-402",
"type": 2,
"relevance": 1,
"name": "Contains ability to modify process attributes (API string)",
"description": "Found reference to API \"InitializeProcThreadAttributeList\" (Indicator: \"InitializeProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"UpdateProcThreadAttribute\" (Indicator: \"UpdateProcThreadAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"InitializeProcThreadAttributeList\" (Indicator: \"InitializeProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"UpdateProcThreadAttribute\" (Indicator: \"UpdateProcThreadAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1562.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1562/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-168",
"type": 2,
"relevance": 1,
"name": "Contains ability to create process with token (API string)",
"description": "Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcessAsUser\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
"origin": "File/Memory",
"attck_id": "T1134.002",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-535",
"type": 2,
"relevance": 0,
"name": "Contains ability to write files (API string)",
"description": "Found reference to API \"WriteFile\" (Indicator: \"WriteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WriteFile\" (Indicator: \"WriteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1105",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1105"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-308",
"type": 2,
"relevance": 1,
"name": "Contains ability to delete files/directories (API string)",
"description": "Found reference to API \"DeleteFileW\" (Indicator: \"DeleteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RemoveDirectoryW\" (Indicator: \"RemoveDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"DeleteFileW\" (Indicator: \"DeleteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RemoveDirectoryW\" (Indicator: \"RemoveDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1070.004",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1070/004"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-316",
"type": 2,
"relevance": 1,
"name": "Contains ability to terminate a process (API string)",
"description": "Found reference to API \"TerminateProcess\" (Indicator: \"TerminateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"TerminateProcess\" (Indicator: \"TerminateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1489",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1489"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "static-87",
"type": 0,
"relevance": 1,
"name": "Imports system security related APIs",
"description": "Observed import api \"GetFileSecurityW\" which can \"Obtains specified information about the security of a file or directory\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]\n Observed import api \"GetSecurityDescriptorOwner\" which can \"Retrieves the owner information from a security descriptor\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]\n Observed import api \"RevertToSelf\" which can \"Terminates the impersonation of a client application\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]",
"origin": "Static Parser",
"attck_id": "T1134.001",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "System Security",
"identifier": "string-474",
"type": 2,
"relevance": 1,
"name": "Contains ability to access device drivers",
"description": "Found string \"\\Device\\HarddiskVolume2\\cmd.exe\" (Indicator: \"\\Device\\\"; Source: \"00000000-00004716.00000000.77972.69D30000.00000004.mdmp, 00000000-00004716.00000001.79890.69D30000.00000004.mdmp, 00000000-00004716.00000002.81813.69D30000.00000004.mdmp\")",
"origin": "File/Memory",
"attck_id": "T1543.003",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "External Systems",
"identifier": "avtest-1",
"type": 12,
"relevance": 10,
"name": "Sample was identified as clean by Antivirus engines",
"description": "0/71 Antivirus vendors marked sample as malicious (0% detection rate)",
"origin": "External System",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "General",
"identifier": "static-92",
"type": 0,
"relevance": 5,
"name": "PE file has unusual entropy resources",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has resource with unusual entropy \"RT_ICON:7.85051980666\"",
"origin": "Static Parser",
"attck_id": "T1027.002",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002"
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "hooks-8",
"type": 11,
"relevance": 10,
"name": "Installs hooks/patches the running process",
"description": "\"cmd.exe\" wrote bytes \"e0e8c4d7f97f0000\" to virtual address \"0x4932E000\" (part of module \"CMD.EXE\")\n \"cmd.exe\" wrote bytes \"a09d036a5b010000608e036a5b01000090b7016a5b010000a090036a5b010000508d016a5b010000502e016a5b01000020c4036a5b01000070bb036a5b01000080bc036a5b0100004078046a5b010000a0ba036a5b0100000088036a5b010000\" to virtual address \"0xE7D74030\" (part of module \"GDI32.DLL\")",
"origin": "Hook Detection",
"attck_id": "T1056.004",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004"
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "static-1",
"type": 0,
"relevance": 1,
"name": "Imports suspicious APIs",
"description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
"origin": "Static Parser",
"attck_id": "T1106",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Anti-Reverse Engineering",
"identifier": "static-6",
"type": 0,
"relevance": 3,
"name": "PE file has unusual entropy sections",
"description": ".didat with unusual entropies 0.907093089296",
"origin": "Static Parser",
"attck_id": "T1027.002",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002"
},
{
"threat_level": 2,
"threat_level_human": "malicious",
"category": "Anti-Detection/Stealthyness",
"identifier": "target-94",
"type": 9,
"relevance": 3,
"name": "Found a system process name at an unusual pathway",
"description": "Process \"cmd.exe\" has a system process name but is not located in a Windows (sub-)directory (UID: 00000000-00004716)",
"origin": "Monitored Target",
"attck_id": "T1036.005",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/techniques/T1036/005"
}
]
},
{
"classification_tags": [],
"tags": [],
"submissions": [
{
"submission_id": "60f5dadb3ddbd71a493b4e50",
"filename": "file",
"url": null,
"created_at": "2021-07-19T20:04:43+00:00"
},
{
"submission_id": "60e87e8ed717cf14e5771f4f",
"filename": "file",
"url": null,
"created_at": "2021-07-09T16:51:26+00:00"
},
{
"submission_id": "5f196598c665454d4960c94d",
"filename": "file",
"url": null,
"created_at": "2020-07-23T10:25:28+00:00"
}
],
"machine_learning_models": [],
"crowdstrike_ai": {
"executable_process_memory_analysis": [],
"analysis_related_urls": []
},
"job_id": null,
"environment_id": null,
"environment_description": "Static Analysis",
"size": 232960,
"type": "PE32+ executable (console) x86-64, for MS Windows",
"type_short": [
"peexe",
"64bits",
"executable"
],
"target_url": null,
"state": "SUCCESS",
"error_type": null,
"error_origin": null,
"submit_name": "file",
"md5": "f4f684066175b77e0c3a000549d2922c",
"sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
"sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
"ssdeep": null,
"imphash": null,
"entrypoint": null,
"entrypoint_section": null,
"image_base": null,
"subsystem": null,
"image_file_characteristics": [],
"dll_characteristics": [],
"major_os_version": null,
"minor_os_version": null,
"av_detect": 0,
"vx_family": null,
"url_analysis": false,
"analysis_start_time": "2020-07-23T10:25:28+00:00",
"threat_score": null,
"interesting": false,
"threat_level": 0,
"verdict": "no specific threat",
"certificates": [],
"is_certificates_valid": null,
"certificates_validation_message": null,
"domains": [],
"compromised_hosts": [],
"hosts": [],
"total_network_connections": 0,
"total_processes": 0,
"total_signatures": 0,
"extracted_files": [],
"file_metadata": null,
"processes": [],
"mitre_attcks": [],
"network_mode": "default",
"signatures": []
},
{
"classification_tags": [],
"tags": [],
"submissions": [
{
"submission_id": "60195513efa3090ef70210f9",
"filename": "utilman.exe",
"url": null,
"created_at": "2021-02-02T13:35:15+00:00"
},
{
"submission_id": "5fd594e5fbef250536222759",
"filename": "cmd.exe",
"url": null,
"created_at": "2020-12-13T04:13:25+00:00"
},
{
"submission_id": "5f75727102a5f179cd29069e",
"filename": "cmd.exe",
"url": null,
"created_at": "2020-10-01T06:08:49+00:00"
},
{
"submission_id": "5ec0ceb2d7ce6a2712303213",
"filename": "Utilman.exe",
"url": null,
"created_at": "2020-05-17T05:42:10+00:00"
},
{
"submission_id": "5e53273fb30de355842896a2",
"filename": "cmd.exe",
"url": null,
"created_at": "2020-02-24T01:30:39+00:00"
},
{
"submission_id": "5d288eb0038838a74cfa9906",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-07-12T13:44:16+00:00"
},
{
"submission_id": "5d2500bd0288388e538437b1",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-07-09T21:01:49+00:00"
},
{
"submission_id": "5cbea1b4038838399c0365ff",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-04-23T05:25:08+00:00"
},
{
"submission_id": "5c35e7b37ca3e11e9f79e9a4",
"filename": "sethc.exe",
"url": null,
"created_at": "2019-01-09T06:23:15-06:00"
},
{
"submission_id": "5c35cef37ca3e1571e6b9436",
"filename": "sethc.exe",
"url": null,
"created_at": "2019-01-09T04:37:39-06:00"
},
{
"submission_id": "5c35cdce7ca3e1550a1e6a92",
"filename": "sethc.exe",
"url": null,
"created_at": "2019-01-09T04:32:46-06:00"
},
{
"submission_id": "5b577fba7ca3e13656490373",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-07-24T14:36:26-05:00"
},
{
"submission_id": "5b5601b37ca3e171691d73e2",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-07-23T11:26:27-05:00"
},
{
"submission_id": "5b0e04857ca3e14c8f62c6fb",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-05-29T20:55:17-05:00"
},
{
"submission_id": "5ad854a47ca3e1453f07bc82",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-04-19T03:34:44-05:00"
},
{
"submission_id": "5ab269537ca3e101fb04a953",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-03-21T09:16:51-05:00"
},
{
"submission_id": "5ab0cffe7ca3e12af23357d3",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-03-20T04:10:22-05:00"
},
{
"submission_id": "5a94e29e7ca3e122510713e2",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-02-26T22:46:22-06:00"
},
{
"submission_id": "5a26f15e7ca3e1169435c782",
"filename": "cmd.exe",
"url": null,
"created_at": "2017-12-05T13:19:58-06:00"
},
{
"submission_id": "5a26f0c47ca3e1158b6ee0e2",
"filename": "cmd.exe",
"url": null,
"created_at": "2017-12-05T13:17:24-06:00"
}
],
"machine_learning_models": [],
"crowdstrike_ai": {
"executable_process_memory_analysis": [],
"analysis_related_urls": []
},
"job_id": "58593319aac2edc56d351531",
"environment_id": 100,
"environment_description": "Windows 7 32 bit",
"size": 232960,
"type": "PE32+ executable (console) x86-64, for MS Windows",
"type_short": [
"peexe",
"64bits",
"executable"
],
"target_url": null,
"state": "SUCCESS",
"error_type": null,
"error_origin": null,
"submit_name": "cmd.exe",
"md5": "f4f684066175b77e0c3a000549d2922c",
"sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
"sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
"ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
"imphash": "3062ed732d4b25d1c64f084dac97d37a",
"entrypoint": "0x140015190",
"entrypoint_section": ".text",
"image_base": null,
"subsystem": null,
"image_file_characteristics": [],
"dll_characteristics": [],
"major_os_version": null,
"minor_os_version": null,
"av_detect": 0,
"vx_family": null,
"url_analysis": false,
"analysis_start_time": "2020-02-24T01:30:48+00:00",
"threat_score": 30,
"interesting": false,
"threat_level": 3,
"verdict": "no verdict",
"certificates": [],
"is_certificates_valid": null,
"certificates_validation_message": null,
"domains": [],
"compromised_hosts": [],
"hosts": [],
"total_network_connections": 0,
"total_processes": 1,
"total_signatures": 14,
"extracted_files": [],
"file_metadata": null,
"processes": [],
"mitre_attcks": [
{
"tactic": "Discovery",
"technique": "System Time Discovery",
"attck_id": "T1124",
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "File and Directory Discovery",
"attck_id": "T1083",
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
}
],
"network_mode": "default",
"signatures": [
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-7",
"type": 2,
"relevance": 1,
"name": "Contains PDB pathways",
"description": "\"cmd.pdb\"",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Reverse Engineering",
"identifier": "stream-4",
"type": 1,
"relevance": 1,
"name": "Contains ability to register a top-level exception handler (often used as anti-debugging trick)",
"description": "SetUnhandledExceptionFilter@api-ms-win-core-errorhandling-l1-1-1.dll at 43727-268-00000001400151E4",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-49",
"type": 1,
"relevance": 1,
"name": "Contains ability to query the system locale",
"description": "GetUserDefaultLCID@api-ms-win-core-localization-l1-2-1.dll at 43727-287-00000001400069BC",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-2",
"type": 1,
"relevance": 1,
"name": "Contains ability to query machine time",
"description": "GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-284-0000000140002BA0\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-285-000000014001F53C\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-296-00000001400020C8\n GetLocalTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-993-000000014001F6C3\n GetSystemTimeAsFileTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-599-00000001400156B4",
"origin": "Hybrid Analysis Technology",
"attck_id": "T1124",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-3",
"type": 1,
"relevance": 1,
"name": "Contains ability to query the machine version",
"description": "GetVersion@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-439-0000000140001008",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-37",
"type": 1,
"relevance": 3,
"name": "Contains ability to query volume size",
"description": "GetDiskFreeSpaceExW@api-ms-win-core-file-l1-2-1.dll at 43727-485-000000014002542C",
"origin": "Hybrid Analysis Technology",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-31",
"type": 1,
"relevance": 1,
"name": "Possibly tries to detect the presence of a debugger",
"description": "GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-314-000000014000BC30\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-316-0000000140008FA0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-270-000000014000B4A0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-271-000000014000B530\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-277-0000000140011840\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-297-000000014000E278\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-298-000000014000E2EC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-305-0000000140005C6C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-661-00000001400016F0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-331-0000000140014D2C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-355-0000000140005954\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-366-00000001400032FC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-383-000000014000D360\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-441-000000014000D110\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-511-000000014000B170\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-523-000000014000BCE0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-588-0000000140006418\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-596-000000014001168C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-605-0000000140014190\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-607-0000000140014044",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Network Related",
"identifier": "string-3",
"type": 2,
"relevance": 10,
"name": "Found potential URL in binary/memory",
"description": "Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "External Systems",
"identifier": "avtest-1",
"type": 12,
"relevance": 10,
"name": "Sample was identified as clean by Antivirus engines",
"description": "0/68 Antivirus vendors marked sample as malicious (0% detection rate)\n 0/22 Antivirus vendors marked sample as malicious (0% detection rate)",
"origin": "External System",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "static-60",
"type": 0,
"relevance": 10,
"name": "PE file contains unusual section name",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has a section named \".didat\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "static-1",
"type": 0,
"relevance": 1,
"name": "Imports suspicious APIs",
"description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Anti-Detection/Stealthyness",
"identifier": "stream-42",
"type": 1,
"relevance": 3,
"name": "Possibly tries to hide a process launching it with different user credentials",
"description": "CreateProcessAsUserW@api-ms-win-core-processthreads-l1-1-2.dll at 43727-828-000000014000EFFE",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 2,
"threat_level_human": "malicious",
"category": "General",
"identifier": "stream-21",
"type": 1,
"relevance": 8,
"name": "Contains ability to start/interact with device drivers",
"description": "DeviceIoControl@api-ms-win-core-io-l1-1-1.dll at 43727-611-0000000140013690",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 2,
"threat_level_human": "malicious",
"category": "Unusual Characteristics",
"identifier": "stream-22",
"type": 1,
"relevance": 5,
"name": "Contains native function calls",
"description": "NtFsControlFile@ntdll.dll at 43727-309-00000001400268C4\n NtCancelSynchronousIoFile@ntdll.dll at 43727-532-00000001400227A0\n NtOpenThreadToken@ntdll.dll at 43727-585-00000001400029C0\n NtQueryInformationToken@ntdll.dll at 43727-586-0000000140002A84\n NtQueryInformationToken@ntdll.dll at 43727-587-0000000140002AD4\n NtQueryInformationProcess@ntdll.dll at 43727-630-0000000140004480\n NtOpenFile@ntdll.dll at 43727-643-00000001400042DC\n NtQueryVolumeInformationFile@ntdll.dll at 43727-644-00000001400043D8",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
}
]
},
{
"classification_tags": [],
"tags": [],
"submissions": [
{
"submission_id": "5f85aeb7dbdeb607bb5e34eb",
"filename": "kiss.exe",
"url": null,
"created_at": "2020-10-13T13:42:15+00:00"
},
{
"submission_id": "5d8b4dbf028838d6417f6d53",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-09-25T11:21:35+00:00"
},
{
"submission_id": "5d8b4db702883891837f6b95",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-09-25T11:21:27+00:00"
},
{
"submission_id": "5d4846eb0288385a279299b7",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-08-05T15:10:35+00:00"
},
{
"submission_id": "5d250066038838da118437b2",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-07-09T21:00:22+00:00"
},
{
"submission_id": "5ce828c5038838ca61130390",
"filename": "cmd.exe",
"url": null,
"created_at": "2019-05-24T17:24:21+00:00"
},
{
"submission_id": "5cb263840388384184827cf6",
"filename": "sethc.exe",
"url": null,
"created_at": "2019-04-13T22:32:36+00:00"
},
{
"submission_id": "5b69b6167ca3e129e233b695",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-08-07T10:09:10-05:00"
},
{
"submission_id": "5b576e3e7ca3e1632e094913",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-07-24T13:21:50-05:00"
},
{
"submission_id": "5b576ce57ca3e15a46380635",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-07-24T13:16:05-05:00"
},
{
"submission_id": "5ab0d1057ca3e12dbd5d09f2",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-03-20T04:14:45-05:00"
},
{
"submission_id": "5a7c75817ca3e13c9b2ebf52",
"filename": "cmd.exe",
"url": null,
"created_at": "2018-02-08T10:06:25-06:00"
},
{
"submission_id": "5a34f2a27ca3e13531789a94",
"filename": "cmd.exe",
"url": null,
"created_at": "2017-12-16T04:17:06-06:00"
}
],
"machine_learning_models": [],
"crowdstrike_ai": {
"executable_process_memory_analysis": [],
"analysis_related_urls": []
},
"job_id": "5a34f2a27ca3e13531789a95",
"environment_id": 120,
"environment_description": "Windows 7 64 bit",
"size": 232960,
"type": "PE32+ executable (console) x86-64, for MS Windows",
"type_short": [
"peexe",
"64bits",
"executable"
],
"target_url": null,
"state": "SUCCESS",
"error_type": null,
"error_origin": null,
"submit_name": "cmd.exe",
"md5": "f4f684066175b77e0c3a000549d2922c",
"sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
"sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
"ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
"imphash": "3062ed732d4b25d1c64f084dac97d37a",
"entrypoint": "0x140015190",
"entrypoint_section": ".text",
"image_base": null,
"subsystem": null,
"image_file_characteristics": [],
"dll_characteristics": [],
"major_os_version": null,
"minor_os_version": null,
"av_detect": 0,
"vx_family": null,
"url_analysis": false,
"analysis_start_time": "2019-09-25T11:21:32+00:00",
"threat_score": 30,
"interesting": false,
"threat_level": 3,
"verdict": "no verdict",
"certificates": [],
"is_certificates_valid": null,
"certificates_validation_message": null,
"domains": [],
"compromised_hosts": [],
"hosts": [],
"total_network_connections": 0,
"total_processes": 1,
"total_signatures": 14,
"extracted_files": [],
"file_metadata": null,
"processes": [],
"mitre_attcks": [
{
"tactic": "Discovery",
"technique": "File and Directory Discovery",
"attck_id": "T1083",
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
},
{
"tactic": "Discovery",
"technique": "System Time Discovery",
"attck_id": "T1124",
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124",
"malicious_identifiers_count": 0,
"malicious_identifiers": [],
"suspicious_identifiers_count": 0,
"suspicious_identifiers": [],
"informative_identifiers_count": 1,
"informative_identifiers": [],
"parent": null
}
],
"network_mode": "default",
"signatures": [
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "General",
"identifier": "string-7",
"type": 2,
"relevance": 1,
"name": "Contains PDB pathways",
"description": "\"cmd.pdb\"",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Anti-Reverse Engineering",
"identifier": "stream-4",
"type": 1,
"relevance": 1,
"name": "Contains ability to register a top-level exception handler (often used as anti-debugging trick)",
"description": "SetUnhandledExceptionFilter@api-ms-win-core-errorhandling-l1-1-1.dll at 12264-268-00000001400151E4",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-31",
"type": 1,
"relevance": 1,
"name": "Possibly tries to detect the presence of a debugger",
"description": "GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-314-000000014000BC30\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-316-0000000140008FA0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-270-000000014000B4A0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-271-000000014000B530\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-277-0000000140011840\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-331-0000000140014D2C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-297-000000014000E278\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-298-000000014000E2EC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-305-0000000140005C6C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-383-000000014000D360\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-355-0000000140005954\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-366-00000001400032FC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-441-000000014000D110\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-511-000000014000B170\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-523-000000014000BCE0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-588-0000000140006418\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-596-000000014001168C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-605-0000000140014190\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-623-00000001400123F0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-607-0000000140014044",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-37",
"type": 1,
"relevance": 3,
"name": "Contains ability to query volume size",
"description": "GetDiskFreeSpaceExW@api-ms-win-core-file-l1-2-1.dll at 12264-485-000000014002542C",
"origin": "Hybrid Analysis Technology",
"attck_id": "T1083",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-2",
"type": 1,
"relevance": 1,
"name": "Contains ability to query machine time",
"description": "GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-284-0000000140002BA0\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-285-000000014001F53C\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-296-00000001400020C8\n GetSystemTimeAsFileTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-599-00000001400156B4\n GetLocalTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-993-000000014001F6C3",
"origin": "Hybrid Analysis Technology",
"attck_id": "T1124",
"capec_id": null,
"attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124"
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-3",
"type": 1,
"relevance": 1,
"name": "Contains ability to query the machine version",
"description": "GetVersion@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-439-0000000140001008",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Environment Awareness",
"identifier": "stream-49",
"type": 1,
"relevance": 1,
"name": "Contains ability to query the system locale",
"description": "GetUserDefaultLCID@api-ms-win-core-localization-l1-2-1.dll at 12264-287-00000001400069BC",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "Network Related",
"identifier": "string-3",
"type": 2,
"relevance": 10,
"name": "Found potential URL in binary/memory",
"description": "Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"",
"origin": "File/Memory",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 0,
"threat_level_human": "informative",
"category": "External Systems",
"identifier": "avtest-1",
"type": 12,
"relevance": 10,
"name": "Sample was identified as clean by Antivirus engines",
"description": "0/16 Antivirus vendors marked sample as malicious (0% detection rate)\n 0/70 Antivirus vendors marked sample as malicious (0% detection rate)",
"origin": "External System",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "static-60",
"type": 0,
"relevance": 10,
"name": "PE file contains unusual section name",
"description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has a section named \".didat\"",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Unusual Characteristics",
"identifier": "static-1",
"type": 0,
"relevance": 1,
"name": "Imports suspicious APIs",
"description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
"origin": "Static Parser",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 1,
"threat_level_human": "suspicious",
"category": "Anti-Detection/Stealthyness",
"identifier": "stream-42",
"type": 1,
"relevance": 3,
"name": "Possibly tries to hide a process launching it with different user credentials",
"description": "CreateProcessAsUserW@api-ms-win-core-processthreads-l1-1-2.dll at 12264-828-000000014000EFFE",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 2,
"threat_level_human": "malicious",
"category": "General",
"identifier": "stream-21",
"type": 1,
"relevance": 8,
"name": "Contains ability to start/interact with device drivers",
"description": "DeviceIoControl@api-ms-win-core-io-l1-1-1.dll at 12264-611-0000000140013690",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
},
{
"threat_level": 2,
"threat_level_human": "malicious",
"category": "Unusual Characteristics",
"identifier": "stream-22",
"type": 1,
"relevance": 5,
"name": "Contains native function calls",
"description": "NtFsControlFile@ntdll.dll at 12264-309-00000001400268C4\n NtCancelSynchronousIoFile@ntdll.dll at 12264-532-00000001400227A0\n NtOpenProcessToken@ntdll.dll at 12264-585-00000001400029C0\n NtQueryInformationToken@ntdll.dll at 12264-586-0000000140002A84\n NtQueryInformationToken@ntdll.dll at 12264-587-0000000140002AD4\n NtSetInformationProcess@ntdll.dll at 12264-630-0000000140004480\n NtOpenFile@ntdll.dll at 12264-643-00000001400042DC\n NtQueryVolumeInformationFile@ntdll.dll at 12264-644-00000001400043D8",
"origin": "Hybrid Analysis Technology",
"attck_id": null,
"capec_id": null,
"attck_id_wiki": null
}
]
}
]JSON
Detection & Response
Was this article helpful?
Thank you for your feedback! Our team will get back to you
How can we improve this article?
Your feedback
Comment
Comment (Optional)
Character limit : 500
Please enter your comment
Email (Optional)
Email
Please enter a valid email
