MENU
    Hybrid Analysis
    • 05 Oct 2024
    • 112 Minutes to read
    • Contributors

    Hybrid Analysis


    Article summary

    Hybrid Analysis, aka Falcon Sandbox, is a powerful, free malware analysis service for the community that detects and analyzes unknown threats. Hybrid Analysis has its own unique approach, and offers both public-facing and private team-based sandboxing capabilities.

    LimaCharlie integrates with the following Hybrid Analysis API calls:

    Detection & Response Rules

    Overview

    The Search API accepts a SHA256 value, and provides an extensive overview of a hash (if previously observed by the platform).

    D&R Rule:

    The following D&R rule

    event: NEW_PROCESS
    op: lookup
    path: event/HASH
    resource: lcr://api/hybrid-analysis-overview
    JSON

    Response Data:

    {
      "result": {
        "analysis_start_time": "2023-07-17T18:31:04+00:00",
        "architecture": "WINDOWS",
        "children_in_progress": 0,
        "children_in_queue": 0,
        "last_file_name": "cmd.exe",
        "last_multi_scan": "2023-07-17T18:31:09+00:00",
        "multiscan_result": 0,
        "other_file_name": [
          "Utilman.exe",
          "file",
          "kiss.exe",
          "osk.exe",
          "sethc.exe",
          "utilman.exe"
        ],
        "related_children_hashes": [],
        "related_parent_hashes": [
          "c502bd80423e10dcc4b59fe4b523acb5ce0bd07748f73c7bdc6c797883b8a417"
        ],
        "related_reports": [
          {
            "environment_id": 100,
            "error_origin": null,
            "error_type": null,
            "job_id": "627e3011d695730f2c3ad419",
            "sha256": "c502bd80423e10dcc4b59fe4b523acb5ce0bd07748f73c7bdc6c797883b8a417",
            "state": "SUCCESS",
            "verdict": "no verdict"
          }
        ],
        "reports": [
          "58593319aac2edc56d351531",
          "5a34f2a27ca3e13531789a95",
          "5f196598eac13102deff3d42",
          "64b588e7e14d64e6a60b2130",
          "5965d8027ca3e10ec737634f",
          "60251a499b1b3016bb674fb4",
          "637f3600a3d94f1ecc7c1800"
        ],
        "scanners": [
          {
            "anti_virus_results": [],
            "error_message": null,
            "name": "CrowdStrike Falcon Static Analysis (ML)",
            "percent": 0,
            "positives": null,
            "progress": 100,
            "status": "clean",
            "total": null
          },
          {
            "anti_virus_results": [],
            "error_message": null,
            "name": "Metadefender",
            "percent": 0,
            "positives": 0,
            "progress": 100,
            "status": "clean",
            "total": 27
          },
          {
            "anti_virus_results": [],
            "error_message": null,
            "name": "VirusTotal",
            "percent": 0,
            "positives": 0,
            "progress": 100,
            "status": "clean",
            "total": 75
          }
        ],
        "scanners_v2": {
          "bfore_ai": null,
          "clean_dns": null,
          "crowdstrike_ml": {
            "anti_virus_results": [],
            "error_message": null,
            "name": "CrowdStrike Falcon Static Analysis (ML)",
            "percent": 0,
            "progress": 100,
            "status": "clean"
          },
          "metadefender": {
            "anti_virus_results": [],
            "error_message": null,
            "name": "Metadefender",
            "percent": 0,
            "positives": 0,
            "progress": 100,
            "status": "clean",
            "total": 27
          },
          "scam_adviser": null,
          "urlscan_io": null,
          "virustotal": {
            "error_message": null,
            "name": "VirusTotal",
            "percent": 0,
            "positives": 0,
            "progress": 100,
            "status": "clean",
            "total": 75
          }
        },
        "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
        "size": 232960,
        "submit_context": [],
        "tags": [],
        "threat_score": null,
        "type": "PE32+ executable (console) x86-64, for MS Windows",
        "type_short": [
          "peexe",
          "64bits",
          "executable"
        ],
        "url_analysis": false,
        "verdict": "no specific threat",
        "vx_family": null,
        "whitelisted": false
      }
    }
    JSON

    The Search lookup provides a basic lookup of a hash value. This look accepts one of the following values:

    • MD5

    • SHA1

    • SHA256

    D&R Rule:

    event: NEW_PROCESS
    op: lookup
    path: event/HASH
    resource: lcr://api/hybrid-analysis-search
    JSON

    Response Data:

    [
      {
        "classification_tags": [],
        "tags": [],
        "submissions": [
          {
            "submission_id": "64b588e7e14d64e6a60b2131",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2023-07-17T18:31:03+00:00"
          }
        ],
        "machine_learning_models": [],
        "crowdstrike_ai": {
          "executable_process_memory_analysis": [],
          "analysis_related_urls": []
        },
        "job_id": "64b588e7e14d64e6a60b2130",
        "environment_id": 160,
        "environment_description": "Windows 10 64 bit",
        "size": 232960,
        "type": "PE32+ executable (console) x86-64, for MS Windows",
        "type_short": [
          "peexe",
          "64bits",
          "executable"
        ],
        "target_url": null,
        "state": "SUCCESS",
        "error_type": null,
        "error_origin": null,
        "submit_name": "cmd.exe",
        "md5": "f4f684066175b77e0c3a000549d2922c",
        "sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
        "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
        "sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
        "ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
        "imphash": "3062ed732d4b25d1c64f084dac97d37a",
        "entrypoint": "0x140015190",
        "entrypoint_section": ".text",
        "image_base": "0x140000000",
        "subsystem": "Windows Cui",
        "image_file_characteristics": [
          "EXECUTABLE_IMAGE",
          "LARGE_ADDRESS_AWARE"
        ],
        "dll_characteristics": [
          "GUARD_CF",
          "TERMINAL_SERVER_AWARE",
          "DYNAMIC_BASE",
          "NX_COMPAT",
          "HIGH_ENTROPY_VA"
        ],
        "major_os_version": 10,
        "minor_os_version": 0,
        "av_detect": 0,
        "vx_family": null,
        "url_analysis": false,
        "analysis_start_time": "2023-07-17T18:31:04+00:00",
        "threat_score": null,
        "interesting": false,
        "threat_level": 0,
        "verdict": "no specific threat",
        "certificates": [],
        "is_certificates_valid": false,
        "certificates_validation_message": "No signature was present in the subject. (0x800b0100)",
        "domains": [],
        "compromised_hosts": [],
        "hosts": [],
        "total_network_connections": 0,
        "total_processes": 1,
        "total_signatures": 99,
        "extracted_files": [],
        "file_metadata": null,
        "processes": [],
        "mitre_attcks": [
          {
            "tactic": "Execution",
            "technique": "Shared Modules",
            "attck_id": "T1129",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1129",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 3,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Execution",
            "technique": "Native API",
            "attck_id": "T1106",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 2,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 10,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Execution",
            "technique": "Windows Command Shell",
            "attck_id": "T1059.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1059/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Command and Scripting Interpreter",
              "attck_id": "T1059",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1059"
            }
          },
          {
            "tactic": "Persistence",
            "technique": "Windows Service",
            "attck_id": "T1543.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": {
              "technique": "Create or Modify System Process",
              "attck_id": "T1543",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
            }
          },
          {
            "tactic": "Persistence",
            "technique": "Create or Modify System Process",
            "attck_id": "T1543",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Persistence",
            "technique": "Registry Run Keys / Startup Folder",
            "attck_id": "T1547.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Boot or Logon Autostart Execution",
              "attck_id": "T1547",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1547"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Windows Service",
            "attck_id": "T1543.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": {
              "technique": "Create or Modify System Process",
              "attck_id": "T1543",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Token Impersonation/Theft",
            "attck_id": "T1134.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 3,
            "informative_identifiers": [],
            "parent": {
              "technique": "Access Token Manipulation",
              "attck_id": "T1134",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Create or Modify System Process",
            "attck_id": "T1543",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Create Process with Token",
            "attck_id": "T1134.002",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Access Token Manipulation",
              "attck_id": "T1134",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Dynamic-link Library Injection",
            "attck_id": "T1055.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Thread Execution Hijacking",
            "attck_id": "T1055.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Process Injection",
            "attck_id": "T1055",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Registry Run Keys / Startup Folder",
            "attck_id": "T1547.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Boot or Logon Autostart Execution",
              "attck_id": "T1547",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1547"
            }
          },
          {
            "tactic": "Privilege Escalation",
            "technique": "Extra Window Memory Injection",
            "attck_id": "T1055.011",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/011",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Obfuscated Files or Information",
            "attck_id": "T1027",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Match Legitimate Name or Location",
            "attck_id": "T1036.005",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1036/005",
            "malicious_identifiers_count": 1,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Masquerading",
              "attck_id": "T1036",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1036"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Debugger Evasion",
            "attck_id": "T1622",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1622",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "File and Directory Permissions Modification",
            "attck_id": "T1222",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1222",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Token Impersonation/Theft",
            "attck_id": "T1134.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 3,
            "informative_identifiers": [],
            "parent": {
              "technique": "Access Token Manipulation",
              "attck_id": "T1134",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Timestomp",
            "attck_id": "T1070.006",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": {
              "technique": "Indicator Removal",
              "attck_id": "T1070",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1070"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Modify Registry",
            "attck_id": "T1112",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1112",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 4,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Disable or Modify Tools",
            "attck_id": "T1562.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1562/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Impair Defenses",
              "attck_id": "T1562",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1562"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Create Process with Token",
            "attck_id": "T1134.002",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Access Token Manipulation",
              "attck_id": "T1134",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1134"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Dynamic-link Library Injection",
            "attck_id": "T1055.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Thread Execution Hijacking",
            "attck_id": "T1055.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Process Injection",
            "attck_id": "T1055",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "File Deletion",
            "attck_id": "T1070.004",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1070/004",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Indicator Removal",
              "attck_id": "T1070",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1070"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Direct Volume Access",
            "attck_id": "T1006",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1006",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Time Based Evasion",
            "attck_id": "T1497.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": {
              "technique": "Virtualization/Sandbox Evasion",
              "attck_id": "T1497",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1497"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Software Packing",
            "attck_id": "T1027.002",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 3,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Obfuscated Files or Information",
              "attck_id": "T1027",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
            }
          },
          {
            "tactic": "Defense Evasion",
            "technique": "Extra Window Memory Injection",
            "attck_id": "T1055.011",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/011",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Process Injection",
              "attck_id": "T1055",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
            }
          },
          {
            "tactic": "Credential Access",
            "technique": "Credential API Hooking",
            "attck_id": "T1056.004",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Input Capture",
              "attck_id": "T1056",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
            }
          },
          {
            "tactic": "Discovery",
            "technique": "File and Directory Discovery",
            "attck_id": "T1083",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 7,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "Process Discovery",
            "attck_id": "T1057",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1057",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 4,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "Query Registry",
            "attck_id": "T1012",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1012",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 4,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Service Discovery",
            "attck_id": "T1007",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1007",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Information Discovery",
            "attck_id": "T1082",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 9,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Language Discovery",
            "attck_id": "T1614.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1614/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "System Location Discovery",
              "attck_id": "T1614",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1614"
            }
          },
          {
            "tactic": "Discovery",
            "technique": "Debugger Evasion",
            "attck_id": "T1622",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1622",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Owner/User Discovery",
            "attck_id": "T1033",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1033",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Network Connections Discovery",
            "attck_id": "T1049",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1049",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Network Configuration Discovery",
            "attck_id": "T1016",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1016",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "Network Share Discovery",
            "attck_id": "T1135",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1135",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Location Discovery",
            "attck_id": "T1614",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1614",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Time Discovery",
            "attck_id": "T1124",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1124",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "Time Based Evasion",
            "attck_id": "T1497.003",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 2,
            "informative_identifiers": [],
            "parent": {
              "technique": "Virtualization/Sandbox Evasion",
              "attck_id": "T1497",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1497"
            }
          },
          {
            "tactic": "Lateral Movement",
            "technique": "Lateral Tool Transfer",
            "attck_id": "T1570",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1570",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Collection",
            "technique": "Credential API Hooking",
            "attck_id": "T1056.004",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 1,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 0,
            "informative_identifiers": [],
            "parent": {
              "technique": "Input Capture",
              "attck_id": "T1056",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1056"
            }
          },
          {
            "tactic": "Collection",
            "technique": "Local Data Staging",
            "attck_id": "T1074.001",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1074/001",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": {
              "technique": "Data Staged",
              "attck_id": "T1074",
              "attck_id_wiki": "https://attack.mitre.org/techniques/T1074"
            }
          },
          {
            "tactic": "Command and Control",
            "technique": "Application Layer Protocol",
            "attck_id": "T1071",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1071",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Command and Control",
            "technique": "Ingress Tool Transfer",
            "attck_id": "T1105",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1105",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Exfiltration",
            "technique": "Scheduled Transfer",
            "attck_id": "T1029",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1029",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Impact",
            "technique": "Service Stop",
            "attck_id": "T1489",
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1489",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          }
        ],
        "network_mode": "default",
        "signatures": [
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "api-7",
            "type": 6,
            "relevance": 1,
            "name": "Loads modules at runtime",
            "description": "\"cmd.exe\" loaded module \"KERNEL32\" at base e8360000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-STRING-L1-1-0\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-DATETIME-L1-1-1\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-LOCALIZATION-OBSOLETE-L1-2-0\" at base e5170000\n \"cmd.exe\" loaded module \"%WINDIR%\\SYSTEM32\\IMM32.DLL\" at base e5be0000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-SYNCH-L1-2-0\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-FIBERS-L1-1-1\" at base e5170000\n \"cmd.exe\" loaded module \"API-MS-WIN-CORE-LOCALIZATION-L1-2-1\" at base e5170000\n \"cmd.exe\" loaded module \"%WINDIR%\\TEMP\\VXOLE64.DLL\" at base d3ef0000\n \"cmd.exe\" loaded module \"KERNEL32.DLL\" at base e8360000",
            "origin": "API Call",
            "attck_id": "T1129",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "api-175",
            "type": 6,
            "relevance": 1,
            "name": "Calls an API typically used to load libraries",
            "description": "\"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-synch-l1-2-0 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-fibers-l1-1-1 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter api-ms-win-core-localization-l1-2-1 (UID: 00000000-00004716)\n \"cmd.exe\" called \"LoadLibrary\" with a parameter kernel32 (UID: 00000000-00004716)",
            "origin": "API Call",
            "attck_id": "T1129",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "api-176",
            "type": 6,
            "relevance": 1,
            "name": "Calls an API typically used to retrieve function addresses",
            "description": "\"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeCriticalSectionEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsAlloc (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsSetValue (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsGetValue (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter LCMapStringEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlsFree (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitOnceExecuteOnce (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateEventExW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSemaphoreW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSemaphoreExW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WaitForThreadpoolTimerCallbacks (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolTimer (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolWait (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FlushProcessWriteBuffers (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter FreeLibraryWhenCallbackReturns (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetCurrentProcessorNumber (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateSymbolicLinkW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetCurrentPackageId (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetTickCount64 (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetFileInformationByHandleEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SetFileInformationByHandle (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetSystemTimePreciseAsFileTime (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WakeConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter WakeAllConditionVariable (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SleepConditionVariableCS (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter InitializeSRWLock (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter AcquireSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter TryAcquireSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter ReleaseSRWLockExclusive (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SleepConditionVariableSRW (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CreateThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter SubmitThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CloseThreadpoolWork (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter CompareStringEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter GetLocaleInfoEx (UID: 00000000-00004716)\n \"cmd.exe\" called \"GetProcAddress\" with a parameter AreFileApisANSI (UID: 00000000-00004716)",
            "origin": "API Call",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "module-10",
            "type": 10,
            "relevance": 0,
            "name": "Loads the RPC (Remote Procedure Call) module DLL",
            "description": "\"cmd.exe\" loaded module \"%WINDIR%\\System32\\rpcrt4.dll\" at E8420000",
            "origin": "Loaded Module",
            "attck_id": "T1129",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1129"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "module-9",
            "type": 10,
            "relevance": 0,
            "name": "Loads the Bcrypt module DLL",
            "description": "\"cmd.exe\" loaded module \"%WINDIR%\\System32\\bcryptprimitives.dll\" at E55D0000",
            "origin": "Loaded Module",
            "attck_id": "T1027",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "registry-25",
            "type": 3,
            "relevance": 3,
            "name": "Reads information about supported languages",
            "description": "\"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE\"; Key: \"EN-US\")\n \"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE\"; Key: \"EN-US\")\n \"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE\"; Key: \"00000409\")",
            "origin": "Registry Access",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-101",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to execute Windows APIs",
            "description": "Found reference to API (Indicator: \"SetConsoleInputExeNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"IsDebuggerPresent\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CopyFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetThreadUILanguage\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlCreateUnicodeStringFromAsciiz\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlNtStatusToDosError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtSetInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFreeUnicodeString\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlDosPathNameToRelativeNtPathName_U_WithStatus\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtSetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlReleaseRelativeName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryVolumeInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFindLeastSignificantBit\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlDosPathNameToNtPathName_U\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtFsControlFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlFreeHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlCaptureContext\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlLookupFunctionEntry\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RtlVirtualUnwind\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CopyFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetThreadLocale\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindFirstFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleScreenBufferInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFullPathNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindNextFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleOutputCP\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetStdHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCPInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFilePointer\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindClose\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MultiByteToWideChar\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FillConsoleOutputCharacterW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadConsoleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CloseHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReleaseSRWLockShared\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FlushConsoleInputBuffer\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WriteConsoleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetProcAddress\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"AcquireSRWLockShared\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetProcessHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetModuleHandleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WideCharToMultiByte\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileType\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleCursorPosition\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RevertToSelf\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualQuery\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLocaleInfoW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetUserDefaultLCID\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FileTimeToSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FileTimeToLocalFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetTimeFormatW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SystemTimeToFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDateFormatW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetNumaHighestNodeNumber\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCommandLineW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEnvironmentVariableW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetEnvironmentVariableW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FreeEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetStartupInfoW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegQueryValueExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NeedCurrentDirectoryForExePathW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegDeleteValueW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"InitializeProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateProcessAsUserW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegOpenKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetErrorMode\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetConsoleTitleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileAttributesW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegSetValueExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegEnumKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"UpdateProcThreadAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegCreateKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeleteProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReadProcessMemory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateProcessW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegDeleteKeyExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RegCloseKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LoadLibraryExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MoveFileWithProgressW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LocalFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"MoveFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleTitleW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVolumeInformationW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SearchPathW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WriteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GlobalAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GlobalFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFilePointerEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleCtrlHandler\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"EnterCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"TryAcquireSRWLockExclusive\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ExpandEnvironmentStringsW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetModuleFileNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"LeaveCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"InitializeCriticalSection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVersion\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ReleaseSRWLockExclusive\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetWindowsDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileAttributesExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDriveTypeW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentThreadId\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapSetInformation\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"VirtualAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"HeapReAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DuplicateHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FlushFileBuffers\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetACP\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FormatMessageW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetConsoleTextAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ScrollConsoleScreenBufferW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FillConsoleOutputAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetEndOfFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetFileAttributesW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeleteFileW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"TerminateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"WaitForSingleObject\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetCurrentDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetExitCodeProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileInformationByHandleEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"RemoveDirectoryW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CompareFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DeviceIoControl\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetFileSecurityW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSecurityDescriptorOwner\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetDiskFreeSpaceExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"FindFirstFileExW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"ResumeThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetThreadGroupAffinity\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetNumaNodeProcessorMaskEx\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetThreadLocale\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateHardLinkW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetVolumePathNameW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"CreateSymbolicLinkW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"Sleep\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetUnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"QueryPerformanceCounter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetCurrentProcessId\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetSystemTimeAsFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"lstrcmpiW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"lstrcmpW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"SetProcessAffinityMask\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtQueryInformationToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtClose\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"NtOpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"DelayLoadFailureHook\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API (Indicator: \"Beep\"; Source: \"00000000-00004716.00000000.77972.48F50000.00000002.mdmp, 00000000-00004716.00000001.79890.48F50000.00000002.mdmp, 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleInputExeNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"IsDebuggerPresent\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CopyFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetThreadUILanguage\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlCreateUnicodeStringFromAsciiz\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlNtStatusToDosError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtSetInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFreeUnicodeString\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlDosPathNameToRelativeNtPathName_U_WithStatus\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtSetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlReleaseRelativeName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryVolumeInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFindLeastSignificantBit\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlDosPathNameToNtPathName_U\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtFsControlFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlFreeHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlCaptureContext\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlLookupFunctionEntry\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RtlVirtualUnwind\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CopyFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetThreadLocale\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindFirstFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleScreenBufferInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFullPathNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindNextFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleOutputCP\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetStdHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCPInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFilePointer\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindClose\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MultiByteToWideChar\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FillConsoleOutputCharacterW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadConsoleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CloseHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReleaseSRWLockShared\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FlushConsoleInputBuffer\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WriteConsoleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetProcAddress\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"AcquireSRWLockShared\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetProcessHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetModuleHandleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WideCharToMultiByte\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileType\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleCursorPosition\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RevertToSelf\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualQuery\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLocaleInfoW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetUserDefaultLCID\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FileTimeToSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FileTimeToLocalFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetTimeFormatW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SystemTimeToFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDateFormatW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetNumaHighestNodeNumber\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCommandLineW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEnvironmentVariableW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetEnvironmentVariableW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FreeEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetStartupInfoW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegQueryValueExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NeedCurrentDirectoryForExePathW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegDeleteValueW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"InitializeProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateProcessAsUserW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegOpenKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetErrorMode\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetConsoleTitleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileAttributesW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegSetValueExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegEnumKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"UpdateProcThreadAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegCreateKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeleteProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReadProcessMemory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateProcessW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegDeleteKeyExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RegCloseKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LoadLibraryExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MoveFileWithProgressW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LocalFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"MoveFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleTitleW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVolumeInformationW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SearchPathW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WriteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GlobalAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GlobalFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFilePointerEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleCtrlHandler\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"EnterCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"TryAcquireSRWLockExclusive\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ExpandEnvironmentStringsW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetModuleFileNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"LeaveCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"InitializeCriticalSection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVersion\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ReleaseSRWLockExclusive\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetWindowsDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileAttributesExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDriveTypeW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentThreadId\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapSetInformation\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"VirtualAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"HeapReAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DuplicateHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FlushFileBuffers\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetACP\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FormatMessageW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetConsoleTextAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ScrollConsoleScreenBufferW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FillConsoleOutputAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetEndOfFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetFileAttributesW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeleteFileW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"TerminateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"WaitForSingleObject\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetCurrentDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetExitCodeProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileInformationByHandleEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"RemoveDirectoryW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CompareFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DeviceIoControl\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetFileSecurityW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSecurityDescriptorOwner\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetDiskFreeSpaceExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"FindFirstFileExW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"ResumeThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetThreadGroupAffinity\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetNumaNodeProcessorMaskEx\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetThreadLocale\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateHardLinkW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetVolumePathNameW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"CreateSymbolicLinkW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"Sleep\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"UnhandledExceptionFilter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetUnhandledExceptionFilter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"QueryPerformanceCounter\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetCurrentProcessId\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetSystemTimeAsFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"GetTickCount\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"lstrcmpiW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"lstrcmpW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"SetProcessAffinityMask\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtQueryInformationToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtClose\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"NtOpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API (Indicator: \"DelayLoadFailureHook\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-7",
            "type": 2,
            "relevance": 1,
            "name": "Contains PDB pathways",
            "description": "\"cmd.pdb\"",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-240",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to execute an application (API string)",
            "description": "Found reference to API \"ShellExecuteWorker\" (Indicator: \"ShellExecute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ShellExecuteWorker\" (Indicator: \"ShellExecute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-315",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create/open files (API string)",
            "description": "Found reference to API \"NtOpenFile\" (Indicator: \"NtOpenFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateFileW\" (Indicator: \"CreateFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenFile\" (Indicator: \"NtOpenFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"CreateFileW\" (Indicator: \"CreateFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-220",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create/control drivers (API string)",
            "description": "Found reference to API \"NtFsControlFile\" (Indicator: \"FsControlFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"DeviceIoControl\" (Indicator: \"DeviceIoControl\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtFsControlFile\" (Indicator: \"FsControlFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"DeviceIoControl\" (Indicator: \"DeviceIoControl\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1543.003",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-319",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to set/get the last-error code for a calling thread (API string)",
            "description": "Found reference to API \"GetLastError\" (Indicator: \"GetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetLastError\" (Indicator: \"SetLastError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLastError\" (Indicator: \"GetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SetLastError\" (Indicator: \"SetLastError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-272",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve/open a process (API string)",
            "description": "Found reference to API \"GetProcessHeap\" (Indicator: \"GetProcessHeap\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetProcessHeap\" (Indicator: \"GetProcessHeap\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1057",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-206",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the command-line string for the current process (API string)",
            "description": "Found reference to API \"GetCommandLineW\" (Indicator: \"GetCommandLine\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCommandLineW\" (Indicator: \"GetCommandLine\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1059.003",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1059/003"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-204",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create a new process (API string)",
            "description": "Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateProcessW\" (Indicator: \"CreateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"CreateProcessW\" (Indicator: \"CreateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-307",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create/load registry keys (API string)",
            "description": "Found reference to API \"RegCreateKeyExW\" (Indicator: \"RegCreateKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegCreateKeyExW\" (Indicator: \"RegCreateKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1112",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-345",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to disable/close registry key (API string)",
            "description": "Found reference to API \"RegCloseKey\" (Indicator: \"RegCloseKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegCloseKey\" (Indicator: \"RegCloseKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1112",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-322",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to move file or directory (API string)",
            "description": "Found reference to API \"MoveFileWithProgressW\" (Indicator: \"MoveFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"MoveFileExW\" (Indicator: \"MoveFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"MoveFileWithProgressW\" (Indicator: \"MoveFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"MoveFileExW\" (Indicator: \"MoveFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1570",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1570"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-161",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve/modify process thread (API string)",
            "description": "Found reference to API \"OpenThread\" (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ResumeThread\" (Indicator: \"ResumeThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThread\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"OpenThread\" (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"ResumeThread\" (Indicator: \"ResumeThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThread\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-423",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create directories (API string)",
            "description": "Found reference to API \"CreateDirectoryW\" (Indicator: \"CreateDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"CreateDirectoryW\" (Indicator: \"CreateDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1074.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1074/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-120",
            "type": 2,
            "relevance": 1,
            "name": "Contains registry location strings",
            "description": "\"Software\\Microsoft\\Command Processor\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"Software\\Policies\\Microsoft\\Windows\\System\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"Software\\Classes\" in Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\n \"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Keyboard Layout\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\RegEdt32\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\CLOCK\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Devices\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\EXTENSIONS\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\CHARMAP\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\NETWORK\\\\PERSISTENT CONNECTIONS\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TRUETYPE\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS NT\\\\CURRENTVERSION\\\\TWAIN\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS HELP\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" in Source: 00000000-00004716.00000000.77972.48F50000.00000002.mdmp\n 00000000-00004716.00000001.79890.48F50000.00000002.mdmp\n 00000000-00004716.00000002.81813.48F50000.00000002.mdmp\n \"Software\\Microsoft\\Command Processor\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp\n \"Software\\Policies\\Microsoft\\Windows\\System\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp\n \"Software\\Classes\" in Source: 00000000-00004716.00000000.77972.49307000.00000002.mdmp\n 00000000-00004716.00000001.79890.49307000.00000002.mdmp\n 00000000-00004716.00000002.81813.49307000.00000002.mdmp",
            "origin": "File/Memory",
            "attck_id": "T1012",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-157",
            "type": 0,
            "relevance": 0,
            "name": "Matched Compiler/Packer signature (DIE)",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" was detected as \"Microsoft Visual C/C++\"  and name: \"Compiler\"\n \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" was detected as \"Microsoft Linker\"  and name: \"Linker\"",
            "origin": "Static Parser",
            "attck_id": "T1027",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-93",
            "type": 0,
            "relevance": 1,
            "name": "PE file has a high image base",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has high imagebase  \"0x140000000\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-154",
            "type": 0,
            "relevance": 0,
            "name": "File contains dynamic base/NX flags",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has flags like  IMAGE_DLLCHARACTERISTICS_GUARD_CF\n IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE\n IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE\n IMAGE_DLLCHARACTERISTICS_NX_COMPAT\n IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-96",
            "type": 0,
            "relevance": 0,
            "name": "PE file entrypoint instructions",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" file has an entrypoint instructions - \"sub\trsp, 0x28,call\t0x1400156b4,add\trsp, 0x28,jmp\t0x140014fc0,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,nop\tword ptr [rax + rax],cmp\trcx, qword ptr [rip + 0x19e41],jne\t0x1400151d9,rol\trcx, 0x10,test\tcx, 0xffff,jne\t0x1400151d5,ret\t,ror\trcx, 0x10,jmp\t0x140015220,int3\t,int3\t,int3\t,int3\t,int3\t,int3\t,push\trbx,sub\trsp, 0x20,mov\trbx, rcx,xor\tecx, ecx,\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-80",
            "type": 0,
            "relevance": 1,
            "name": "PE file contains executable sections",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an executable section named \".text\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-95",
            "type": 0,
            "relevance": 0,
            "name": "PE file contains writable sections",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an writable section named \".data\"\n \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has an writable section named \".didat\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "static-146",
            "type": 0,
            "relevance": 0,
            "name": "PE file contains Debug data directory",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has Debug data directory \"IMAGE_DIRECTORY_ENTRY_DEBUG\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "stream-103",
            "type": 1,
            "relevance": 3,
            "name": "Contains ability to delay the execution of current thread",
            "description": "Sleep at 61526-1-0000000140015190",
            "origin": "Hybrid Analysis Technology",
            "attck_id": "T1497.003",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-625",
            "type": 2,
            "relevance": 1,
            "name": "References Windows filepaths for DLLs (possible dropped files)",
            "description": "Observed system executable string:\"C:\\windows\\temp\\VxSSL64.dll\" [Source: 00000000-00004716.00000000.77972.67BF0000.00000020.mdmp\n 00000000-00004716.00000001.79890.67BF0000.00000020.mdmp\n 00000000-00004716.00000002.81813.67BF0000.00000020.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\sxsoa.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\GdiPlus.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\comctl32.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\sxsoaps.dll\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\system32\\comctl32.dll.mui\" [Source: 00000000-00004716.00000000.77972.67C20000.00000002.mdmp\n 00000000-00004716.00000001.79890.67C20000.00000002.mdmp\n 00000000-00004716.00000002.81813.67C20000.00000002.mdmp]\n Observed system executable string:\":\\WINDOWS\\SYSTEM32\\ntdll.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\KERNEL32.DLL\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\msvcrt.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\KERNELBASE.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\windows\\temp\\VxSSL64.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\WS2_32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\"C:\\windows\\temp\\VxOle64.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000000.77972.69E40000.00000020.mdmp\n 00000000-00004716.00000000.77972.69E70000.00000002.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69E40000.00000020.mdmp\n 00000000-00004716.00000001.79890.69E70000.00000002.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69E40000.00000020.mdmp\n 00000000-00004716.00000002.81813.69E70000.00000002.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\RPCRT4.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\SYSTEM32\\FLTLIB.DLL\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\"C:\\WINDOWS\\SYSTEM32\\gdi32full.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ucrtbase.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\USER32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ADVAPI32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\ole32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\GDI32.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\gdi32full.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\combase.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\msvcp_win.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]\n Observed system executable string:\":\\WINDOWS\\System32\\sechost.dll\" [Source: 00000000-00004716.00000000.77972.69D30000.00000004.mdmp\n 00000000-00004716.00000001.79890.69D30000.00000004.mdmp\n 00000000-00004716.00000002.81813.69D30000.00000004.mdmp]",
            "origin": "File/Memory",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Unusual Characteristics",
            "identifier": "registry-26",
            "type": 3,
            "relevance": 2,
            "name": "Reads the windows installation language",
            "description": "\"cmd.exe\" (Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LANGUAGE GROUPS\"; Key: \"1\")",
            "origin": "Registry Access",
            "attck_id": "T1614.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1614/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "api-126",
            "type": 6,
            "relevance": 3,
            "name": "Tries to access non-existent files (executable)",
            "description": "\"cmd.exe\" trying to access non-existent file \"C:\\FLTLIB.DLL\"\n \"cmd.exe\" trying to access non-existent file \"C:\\NETMSG.DLL\"\n \"cmd.exe\" trying to access non-existent file \"C:\\netmsg.dll\"",
            "origin": "API Call",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "api-263",
            "type": 6,
            "relevance": 1,
            "name": "Touches files",
            "description": "\"cmd.exe\" trying to touch file \"C:\\FLTLIB.DLL\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\fltLib.dll\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\KernelBase.dll\"\n \"cmd.exe\" trying to touch file \"C:\\windows\\temp\\VxOle64.dll\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\imm32.dll\"\n \"cmd.exe\" trying to touch file \"C:\\WINDOWS\\system32\\IMM32.DLL\"\n \"cmd.exe\" trying to touch file \"C:\\EN-US\\CMD.EXE.MUI\"\n \"cmd.exe\" trying to touch file \"C:\\EN\\CMD.EXE.MUI\"\n \"cmd.exe\" trying to touch file \"C:\\cmd.exe\"\n \"cmd.exe\" trying to touch file \"C:\\Windows\\System32\\oleaut32.dll\"",
            "origin": "API Call",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "api-235",
            "type": 6,
            "relevance": 1,
            "name": "Queries basic information of the specified process",
            "description": "\"cmd.exe\" queries basic process information of the  \"C:\\cmd.exe\" (UID: 4716)",
            "origin": "API Call",
            "attck_id": "T1057",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "registry-177",
            "type": 3,
            "relevance": 1,
            "name": "Opens registry keys",
            "description": "\"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\SEGMENT HEAP\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\CONHOST.EXE\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\BAM\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SRP\\GP\\DLL\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\FILESYSTEM\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\MUICACHED\\MACHINELANGUAGECONFIGURATION\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\MUI\\SETTINGS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\CONTROL PANEL\\DESKTOP\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"OPEN\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\LANGUAGECONFIGURATION\"; Key: \"\"; Value: \"\")",
            "origin": "Registry Access",
            "attck_id": "T1012",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "registry-172",
            "type": 3,
            "relevance": 1,
            "name": "Queries registry keys",
            "description": "\"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"RESOURCEPOLICIES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CONHOST.EXE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"TRANSPARENTENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\FILESYSTEM\"; Key: \"LONGPATHSENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS\"; Key: \"\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\"; Key: \"PREFERREDUILANGUAGES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\\MUICACHED\"; Key: \"MACHINEPREFERREDUILANGUAGES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\SIDEBYSIDE\"; Key: \"PREFEREXTERNALMANIFEST\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\"; Key: \"SAFEDLLSEARCHMODE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\\FIPSALGORITHMPOLICY\"; Key: \"ENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\"; Key: \"FIPSALGORITHMPOLICY\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA\\FIPSALGORITHMPOLICY\"; Key: \"MDMENABLED\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"PAGEALLOCATORUSESYSTEMHEAP\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"PAGEALLOCATORSYSTEMHEAPISPRIVATE\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\OLE\"; Key: \"AGGRESSIVEMTATESTING\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_INITIALIZE\"; Key: \"DISABLEMETAFILES\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\CONTROL PANEL\\DESKTOP\"; Key: \"ENABLEPERPROCESSSYSTEMDPI\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\COMPATIBILITY32\"; Key: \"CMD\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\CMF\\CONFIG\"; Key: \"SYSTEM\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS\"; Key: \"LOADAPPINIT_DLLS\"; Value: \"\")\n \"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKCU\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SYSTEM\"; Key: \"DISABLECMD\"; Value: \"\")",
            "origin": "Registry Access",
            "attck_id": "T1012",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "string-310",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to load modules (API string)",
            "description": "Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Installation/Persistence",
            "identifier": "string-443",
            "type": 2,
            "relevance": 1,
            "name": "Contains registry location which perform auto-execute functionality",
            "description": "Found string \"Software\\Microsoft\\Command Processor\" (Indicator: \"software\\microsoft\\command processor\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found string \"Software\\Microsoft\\Command Processor\" (Indicator: \"software\\microsoft\\command processor\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1547.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1547/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-304",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to modify registry key/value (API string)",
            "description": "Found reference to API \"RegSetValueExW\" (Indicator: \"RegSetValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegSetValueExW\" (Indicator: \"RegSetValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1112",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-318",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to load/free library (API string)",
            "description": "Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LoadLibraryExW\" (Indicator: \"LoadLibrary\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1055.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-92",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to inject code into another process (API string)",
            "description": "Found reference to API \"VirtualFree\" (Indicator: \"VirtualFree\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"VirtualAlloc\" (Indicator: \"VirtualAlloc\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"VirtualFree\" (Indicator: \"VirtualFree\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"VirtualAlloc\" (Indicator: \"VirtualAlloc\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1055",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-409",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to set file time (API string)",
            "description": "Found reference to API \"SetFileTime\" (Indicator: \"SetFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetFileTime\" (Indicator: \"SetFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1070.006",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-226",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to delay execution by waiting for signal/timeout (API string)",
            "description": "Found reference to API \"WaitForSingleObject\" (Indicator: \"WaitForSingleObject\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WaitForSingleObject\" (Indicator: \"WaitForSingleObject\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "string-306",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to impersonate access tokens (API string)",
            "description": "Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"OpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1134.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "memorydump-8",
            "type": 20,
            "relevance": 1,
            "name": "Found PE header in memory",
            "description": "Found PE header \"MZ\" - Source: \"00000000-00004716.00000000.77972.492E0000.00000002.mdmp\")\n Found PE header \"MZ\" - Source: \"00000000-00004716.00000001.79890.492E0000.00000002.mdmp\")\n Found PE header \"MZ\" - Source: \"00000000-00004716.00000002.81813.492E0000.00000002.mdmp\")",
            "origin": "Memory Dumps",
            "attck_id": "T1055",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1055"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Reverse Engineering",
            "identifier": "string-183",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to check debugger is running (API string)",
            "description": "Found reference to API \"IsDebuggerPresent\" (Indicator: \"IsDebuggerPresent\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"QueryPerformanceCounter\" (Indicator: \"QueryPerformanceCounter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
            "origin": "File/Memory",
            "attck_id": "T1622",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1622"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Reverse Engineering",
            "identifier": "string-148",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to register a top-level exception handler (API string)",
            "description": "Found reference to API \"UnhandledExceptionFilter\" (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetUnhandledExceptionFilter\" (Indicator: \"SetUnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetUnhandledExceptionFilter\" (Indicator: \"UnhandledExceptionFilter\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
            "origin": "File/Memory",
            "attck_id": "T1622",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1622"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "registry-78",
            "type": 3,
            "relevance": 1,
            "name": "Contains ability to read software policies",
            "description": "\"cmd.exe\" (Path: \"HKLM\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\SAFER\\CODEIDENTIFIERS\"; Key: \"TRANSPARENTENABLED\")",
            "origin": "Registry Access",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-222",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve network parameters of a computer (API string)",
            "description": "Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1016",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1016"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-89",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve information about the current system (API string)",
            "description": "Found reference to API \"RtlNtStatusToDosError\" (Indicator: \"RtlNtStatusToDosError\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ExpandEnvironmentStringsW\" (Indicator: \"ExpandEnvironmentStrings\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RtlNtStatusToDosError\" (Indicator: \"RtlNtStatusToDosError\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"ExpandEnvironmentStringsW\" (Indicator: \"ExpandEnvironmentStrings\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-162",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve volume information (API string)",
            "description": "Found reference to API \"NtQueryVolumeInformationFile\" (Indicator: \"NtQueryVolumeInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVolumeInformationW\" (Indicator: \"GetVolumeInformation\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryVolumeInformationFile\" (Indicator: \"NtQueryVolumeInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetVolumeInformationW\" (Indicator: \"GetVolumeInformation\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-201",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to query system locale (API string)",
            "description": "Found reference to API \"GetLocaleInfoW\" (Indicator: \"GetLocaleInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetUserDefaultLCID\" (Indicator: \"GetUserDefaultLCID\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocaleInfoW\" (Indicator: \"GetLocaleInfo\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetUserDefaultLCID\" (Indicator: \"GetUserDefaultLCID\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1614",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1614"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-249",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve file time (API string)",
            "description": "Found reference to API \"FileTimeToSystemTime\" (Indicator: \"FileTimeToSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FileTimeToLocalFileTime\" (Indicator: \"FileTimeToLocalFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SystemTimeToFileTime\" (Indicator: \"SystemTimeToFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTimeAsFileTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FileTimeToSystemTime\" (Indicator: \"FileTimeToSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FileTimeToLocalFileTime\" (Indicator: \"FileTimeToLocalFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SystemTimeToFileTime\" (Indicator: \"SystemTimeToFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTimeAsFileTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1070.006",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1070/006"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-365",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to perform scheduled transfer (API string)",
            "description": "Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1029",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1029"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-247",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve machine time (API string)",
            "description": "Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetLocalTime\" (Indicator: \"GetLocalTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSystemTimeAsFileTime\" (Indicator: \"GetSystemTime\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1124",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1124"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-167",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the contents of the STARTUPINFO structure (API string)",
            "description": "Found reference to API \"GetStartupInfoW\" (Indicator: \"GetStartupInfo\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
            "origin": "File/Memory",
            "attck_id": "T1543",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-171",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the OS information (API string)",
            "description": "Found reference to API \"GetVersion\" (Indicator: \"GetVersion\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVersion\" (Indicator: \"GetVersion\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-312",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve path in which Windows is installed (API string)",
            "description": "Found reference to API \"GetWindowsDirectoryW\" (Indicator: \"GetWindowsDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetWindowsDirectoryW\" (Indicator: \"GetWindowsDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-193",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to query volume/memory size (API string)",
            "description": "Found reference to API \"GetDiskFreeSpaceExW\" (Indicator: \"GetDiskFreeSpace\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetDiskFreeSpaceExW\" (Indicator: \"GetDiskFreeSpace\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "string-194",
            "type": 2,
            "relevance": 1,
            "name": "Contains the ability to enumerate volumes (API string)",
            "description": "Found reference to API \"GetVolumePathNameW\" (Indicator: \"GetVolumePathName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetVolumePathNameW\" (Indicator: \"GetVolumePathName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1006",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1006"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "api-103",
            "type": 6,
            "relevance": 3,
            "name": "Calls an API typically used for taking snapshot of the specified processes",
            "description": "\"cmd.exe\" called \"CreateToolhelp32Snapshot\" with parameters {\"dwFlags\": \"4\"\n \"th32ProcessID\": \"0\"}",
            "origin": "API Call",
            "attck_id": "T1057",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-85",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to enumerate process and/or its information (API string)",
            "description": "Found reference to API \"NtQueryInformationProcess\" (Indicator: \"QueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetEnvironmentStringsW\" (Indicator: \"GetEnvironmentStrings\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentProcess\" (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentProcessId\" (Indicator: \"GetCurrentProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"QueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetEnvironmentStringsW\" (Indicator: \"GetEnvironmentStrings\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentProcess\" (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentProcessId\" (Indicator: \"GetCurrentProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1057",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1057"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-121",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve usernames and/or user information (API string)",
            "description": "Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"LookupAccountSidWStub\" (Indicator: \"LookupAccountSid\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"NtOpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationToken\" (Indicator: \"NtQueryInformationToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"NtOpenThreadToken\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtQueryInformationProcess\" (Indicator: \"NtQueryInformationProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"LookupAccountSidWStub\" (Indicator: \"LookupAccountSid\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"NtOpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenProcessToken\" (Indicator: \"OpenProcessToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtQueryInformationToken\" (Indicator: \"NtQueryInformationToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtOpenThreadToken\" (Indicator: \"NtOpenThreadToken\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1033",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1033"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-534",
            "type": 2,
            "relevance": 0,
            "name": "Contains ability to read files (API string)",
            "description": "Found reference to API \"ReadFile\" (Indicator: \"ReadFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"ReadFile\" (Indicator: \"ReadFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-83",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to enumerate files on disk (API string)",
            "description": "Found reference to API \"FindFirstFileW\" (Indicator: \"FindFirstFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindNextFileW\" (Indicator: \"FindNextFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindFirstFileExW\" (Indicator: \"FindFirstFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"FindFirstFileW\" (Indicator: \"FindFirstFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FindNextFileW\" (Indicator: \"FindNextFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"FindFirstFileExW\" (Indicator: \"FindFirstFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-317",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve address of exported function from a DLL (API string)",
            "description": "Found reference to API \"GetProcAddress\" (Indicator: \"GetProcAddress\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetProcAddress\" (Indicator: \"GetProcAddress\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-207",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve file and directory information (API string)",
            "description": "Found reference to API \"GetFileSize\" (Indicator: \"GetFileSize\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileAttributesW\" (Indicator: \"GetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileAttributesExW\" (Indicator: \"GetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetCurrentDirectoryW\" (Indicator: \"GetCurrentDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileInformationByHandleEx\" (Indicator: \"GetFileInformationByHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileSize\" (Indicator: \"GetFileSize\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileAttributesW\" (Indicator: \"GetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileAttributesExW\" (Indicator: \"GetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetCurrentDirectoryW\" (Indicator: \"GetCurrentDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileInformationByHandleEx\" (Indicator: \"GetFileInformationByHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-427",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve a module handle (API string)",
            "description": "Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleHandleW\" (Indicator: \"GetModuleHandle\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-107",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the host's architecture (API string)",
            "description": "Found reference to API \"GetEnvironmentVariableW\" (Indicator: \"GetEnvironmentVariable\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetEnvironmentVariableW\" (Indicator: \"GetEnvironmentVariable\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-229",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to query registry keys (API string)",
            "description": "Found reference to API \"RegQueryValueExW\" (Indicator: \"RegQueryValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegOpenKeyExW\" (Indicator: \"RegOpenKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegEnumKeyExW\" (Indicator: \"RegEnumKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegQueryValueExW\" (Indicator: \"RegQueryValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegOpenKeyExW\" (Indicator: \"RegOpenKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegEnumKeyExW\" (Indicator: \"RegEnumKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1012",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1012"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-164",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the fully qualified path of module (API string)",
            "description": "Found reference to API \"GetModuleFileNameW\" (Indicator: \"GetModuleFileName\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetModuleFileNameW\" (Indicator: \"GetModuleFileName\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-80",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to determine disk drive type (API string)",
            "description": "Found reference to API \"GetDriveTypeW\" (Indicator: \"GetDriveType\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetDriveTypeW\" (Indicator: \"GetDriveType\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1082",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1082"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Spyware/Information Retrieval",
            "identifier": "string-205",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to retrieve the time elapsed since the system was started (API string)",
            "description": "Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetTickCount\" (Indicator: \"GetTickCount\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1497.003",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1497/003"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Network Related",
            "identifier": "string-3",
            "type": 2,
            "relevance": 3,
            "name": "Found potential URL in binary/memory",
            "description": "Heuristic match: \"fD9.tH\"\n Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"\n Heuristic match: \"(s.IL\"",
            "origin": "File/Memory",
            "attck_id": "T1071",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1071"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Network Related",
            "identifier": "string-257",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to enumerate network resources (API string)",
            "description": "Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetAddConnection2WStub\" (Indicator: \"NetAddConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WNetGetConnectionWStub\" (Indicator: \"NetGetConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"WNetAddConnection2WStub\" (Indicator: \"NetAddConnection\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1049",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1049"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Network Related",
            "identifier": "string-113",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to provide information and utilities for managing network resources (API string)",
            "description": "Found reference to API \"WNetCancelConnection2WStub\" (Indicator: \"WNetCancelConnection\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
            "origin": "File/Memory",
            "attck_id": "T1135",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1135"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "registry-173",
            "type": 3,
            "relevance": 1,
            "name": "Queries services related registry keys",
            "description": "\"cmd.exe\" (Access type: \"QUERYVAL\"; Path: \"HKLM\\SYSTEM\\CONTROLSET001\\SERVICES\\BAM\\USERSETTINGS\\S-1-5-21-735145574-3570218355-1207367261-1001\"; Key: \"\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CONHOST.EXE\"; Value: \"\")",
            "origin": "Registry Access",
            "attck_id": "T1007",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1007"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-426",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to modify file attributes (API string)",
            "description": "Found reference to API \"NtSetInformationFile\" (Indicator: \"SetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"NtSetInformationFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"SetFileAttributesW\" (Indicator: \"SetFileAttributes\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"SetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"NtSetInformationFile\" (Indicator: \"NtSetInformationFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"SetFileAttributesW\" (Indicator: \"SetFileAttributes\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1222",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1222"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-114",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to obtains specified information about the security of a file or directory (API string)",
            "description": "Found reference to API \"RevertToSelf\" (Indicator: \"RevertToSelf\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetFileSecurityW\" (Indicator: \"GetFileSecurityW\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"GetSecurityDescriptorOwner\" (Indicator: \"GetSecurityDescriptorOwner\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RevertToSelf\" (Indicator: \"RevertToSelf\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetFileSecurityW\" (Indicator: \"GetFileSecurityW\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"GetSecurityDescriptorOwner\" (Indicator: \"GetSecurityDescriptorOwner\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1134.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-230",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to delete registry key/value (API string)",
            "description": "Found reference to API \"RegDeleteValueW\" (Indicator: \"RegDeleteValue\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegDeleteKeyExW\" (Indicator: \"RegDeleteKey\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RegDeleteValueW\" (Indicator: \"RegDeleteValue\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RegDeleteKeyExW\" (Indicator: \"RegDeleteKey\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1112",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1112"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-402",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to modify process attributes (API string)",
            "description": "Found reference to API \"InitializeProcThreadAttributeList\" (Indicator: \"InitializeProcThreadAttributeList\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"UpdateProcThreadAttribute\" (Indicator: \"UpdateProcThreadAttribute\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"InitializeProcThreadAttributeList\" (Indicator: \"InitializeProcThreadAttributeList\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"UpdateProcThreadAttribute\" (Indicator: \"UpdateProcThreadAttribute\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1562.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1562/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-168",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to create process with token (API string)",
            "description": "Found reference to API \"CreateProcessAsUserW\" (Indicator: \"CreateProcessAsUser\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")",
            "origin": "File/Memory",
            "attck_id": "T1134.002",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/002"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-535",
            "type": 2,
            "relevance": 0,
            "name": "Contains ability to write files (API string)",
            "description": "Found reference to API \"WriteFile\" (Indicator: \"WriteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"WriteFile\" (Indicator: \"WriteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1105",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1105"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-308",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to delete files/directories (API string)",
            "description": "Found reference to API \"DeleteFileW\" (Indicator: \"DeleteFile\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"RemoveDirectoryW\" (Indicator: \"RemoveDirectory\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"DeleteFileW\" (Indicator: \"DeleteFile\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")\n Found reference to API \"RemoveDirectoryW\" (Indicator: \"RemoveDirectory\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1070.004",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1070/004"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-316",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to terminate a process (API string)",
            "description": "Found reference to API \"TerminateProcess\" (Indicator: \"TerminateProcess\"; File: \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\")\n Found reference to API \"TerminateProcess\" (Indicator: \"TerminateProcess\"; Source: \"00000000-00004716.00000000.77972.49307000.00000002.mdmp, 00000000-00004716.00000001.79890.49307000.00000002.mdmp, 00000000-00004716.00000002.81813.49307000.00000002.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1489",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1489"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "static-87",
            "type": 0,
            "relevance": 1,
            "name": "Imports system security related APIs",
            "description": "Observed import api \"GetFileSecurityW\" which can \"Obtains specified information about the security of a file or directory\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]\n Observed import api \"GetSecurityDescriptorOwner\" which can \"Retrieves the owner information from a security descriptor\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]\n Observed import api \"RevertToSelf\" which can \"Terminates the impersonation of a client application\" [Source: 935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin]",
            "origin": "Static Parser",
            "attck_id": "T1134.001",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1134/001"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "System Security",
            "identifier": "string-474",
            "type": 2,
            "relevance": 1,
            "name": "Contains ability to access device drivers",
            "description": "Found string \"\\Device\\HarddiskVolume2\\cmd.exe\" (Indicator: \"\\Device\\\"; Source: \"00000000-00004716.00000000.77972.69D30000.00000004.mdmp, 00000000-00004716.00000001.79890.69D30000.00000004.mdmp, 00000000-00004716.00000002.81813.69D30000.00000004.mdmp\")",
            "origin": "File/Memory",
            "attck_id": "T1543.003",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1543/003"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "External Systems",
            "identifier": "avtest-1",
            "type": 12,
            "relevance": 10,
            "name": "Sample was identified as clean by Antivirus engines",
            "description": "0/71 Antivirus vendors marked sample as malicious (0% detection rate)",
            "origin": "External System",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "General",
            "identifier": "static-92",
            "type": 0,
            "relevance": 5,
            "name": "PE file has unusual entropy resources",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has resource with unusual entropy  \"RT_ICON:7.85051980666\"",
            "origin": "Static Parser",
            "attck_id": "T1027.002",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002"
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "hooks-8",
            "type": 11,
            "relevance": 10,
            "name": "Installs hooks/patches the running process",
            "description": "\"cmd.exe\" wrote bytes \"e0e8c4d7f97f0000\" to virtual address \"0x4932E000\" (part of module \"CMD.EXE\")\n \"cmd.exe\" wrote bytes \"a09d036a5b010000608e036a5b01000090b7016a5b010000a090036a5b010000508d016a5b010000502e016a5b01000020c4036a5b01000070bb036a5b01000080bc036a5b0100004078046a5b010000a0ba036a5b0100000088036a5b010000\" to virtual address \"0xE7D74030\" (part of module \"GDI32.DLL\")",
            "origin": "Hook Detection",
            "attck_id": "T1056.004",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1056/004"
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "static-1",
            "type": 0,
            "relevance": 1,
            "name": "Imports suspicious APIs",
            "description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
            "origin": "Static Parser",
            "attck_id": "T1106",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1106"
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Anti-Reverse Engineering",
            "identifier": "static-6",
            "type": 0,
            "relevance": 3,
            "name": "PE file has unusual entropy sections",
            "description": ".didat with unusual entropies 0.907093089296",
            "origin": "Static Parser",
            "attck_id": "T1027.002",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1027/002"
          },
          {
            "threat_level": 2,
            "threat_level_human": "malicious",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "target-94",
            "type": 9,
            "relevance": 3,
            "name": "Found a system process name at an unusual pathway",
            "description": "Process \"cmd.exe\" has a system process name but is not located in a Windows (sub-)directory (UID: 00000000-00004716)",
            "origin": "Monitored Target",
            "attck_id": "T1036.005",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/techniques/T1036/005"
          }
        ]
      },
      {
        "classification_tags": [],
        "tags": [],
        "submissions": [
          {
            "submission_id": "60f5dadb3ddbd71a493b4e50",
            "filename": "file",
            "url": null,
            "created_at": "2021-07-19T20:04:43+00:00"
          },
          {
            "submission_id": "60e87e8ed717cf14e5771f4f",
            "filename": "file",
            "url": null,
            "created_at": "2021-07-09T16:51:26+00:00"
          },
          {
            "submission_id": "5f196598c665454d4960c94d",
            "filename": "file",
            "url": null,
            "created_at": "2020-07-23T10:25:28+00:00"
          }
        ],
        "machine_learning_models": [],
        "crowdstrike_ai": {
          "executable_process_memory_analysis": [],
          "analysis_related_urls": []
        },
        "job_id": null,
        "environment_id": null,
        "environment_description": "Static Analysis",
        "size": 232960,
        "type": "PE32+ executable (console) x86-64, for MS Windows",
        "type_short": [
          "peexe",
          "64bits",
          "executable"
        ],
        "target_url": null,
        "state": "SUCCESS",
        "error_type": null,
        "error_origin": null,
        "submit_name": "file",
        "md5": "f4f684066175b77e0c3a000549d2922c",
        "sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
        "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
        "sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
        "ssdeep": null,
        "imphash": null,
        "entrypoint": null,
        "entrypoint_section": null,
        "image_base": null,
        "subsystem": null,
        "image_file_characteristics": [],
        "dll_characteristics": [],
        "major_os_version": null,
        "minor_os_version": null,
        "av_detect": 0,
        "vx_family": null,
        "url_analysis": false,
        "analysis_start_time": "2020-07-23T10:25:28+00:00",
        "threat_score": null,
        "interesting": false,
        "threat_level": 0,
        "verdict": "no specific threat",
        "certificates": [],
        "is_certificates_valid": null,
        "certificates_validation_message": null,
        "domains": [],
        "compromised_hosts": [],
        "hosts": [],
        "total_network_connections": 0,
        "total_processes": 0,
        "total_signatures": 0,
        "extracted_files": [],
        "file_metadata": null,
        "processes": [],
        "mitre_attcks": [],
        "network_mode": "default",
        "signatures": []
      },
      {
        "classification_tags": [],
        "tags": [],
        "submissions": [
          {
            "submission_id": "60195513efa3090ef70210f9",
            "filename": "utilman.exe",
            "url": null,
            "created_at": "2021-02-02T13:35:15+00:00"
          },
          {
            "submission_id": "5fd594e5fbef250536222759",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2020-12-13T04:13:25+00:00"
          },
          {
            "submission_id": "5f75727102a5f179cd29069e",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2020-10-01T06:08:49+00:00"
          },
          {
            "submission_id": "5ec0ceb2d7ce6a2712303213",
            "filename": "Utilman.exe",
            "url": null,
            "created_at": "2020-05-17T05:42:10+00:00"
          },
          {
            "submission_id": "5e53273fb30de355842896a2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2020-02-24T01:30:39+00:00"
          },
          {
            "submission_id": "5d288eb0038838a74cfa9906",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-07-12T13:44:16+00:00"
          },
          {
            "submission_id": "5d2500bd0288388e538437b1",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-07-09T21:01:49+00:00"
          },
          {
            "submission_id": "5cbea1b4038838399c0365ff",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-04-23T05:25:08+00:00"
          },
          {
            "submission_id": "5c35e7b37ca3e11e9f79e9a4",
            "filename": "sethc.exe",
            "url": null,
            "created_at": "2019-01-09T06:23:15-06:00"
          },
          {
            "submission_id": "5c35cef37ca3e1571e6b9436",
            "filename": "sethc.exe",
            "url": null,
            "created_at": "2019-01-09T04:37:39-06:00"
          },
          {
            "submission_id": "5c35cdce7ca3e1550a1e6a92",
            "filename": "sethc.exe",
            "url": null,
            "created_at": "2019-01-09T04:32:46-06:00"
          },
          {
            "submission_id": "5b577fba7ca3e13656490373",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-07-24T14:36:26-05:00"
          },
          {
            "submission_id": "5b5601b37ca3e171691d73e2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-07-23T11:26:27-05:00"
          },
          {
            "submission_id": "5b0e04857ca3e14c8f62c6fb",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-05-29T20:55:17-05:00"
          },
          {
            "submission_id": "5ad854a47ca3e1453f07bc82",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-04-19T03:34:44-05:00"
          },
          {
            "submission_id": "5ab269537ca3e101fb04a953",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-03-21T09:16:51-05:00"
          },
          {
            "submission_id": "5ab0cffe7ca3e12af23357d3",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-03-20T04:10:22-05:00"
          },
          {
            "submission_id": "5a94e29e7ca3e122510713e2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-02-26T22:46:22-06:00"
          },
          {
            "submission_id": "5a26f15e7ca3e1169435c782",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2017-12-05T13:19:58-06:00"
          },
          {
            "submission_id": "5a26f0c47ca3e1158b6ee0e2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2017-12-05T13:17:24-06:00"
          }
        ],
        "machine_learning_models": [],
        "crowdstrike_ai": {
          "executable_process_memory_analysis": [],
          "analysis_related_urls": []
        },
        "job_id": "58593319aac2edc56d351531",
        "environment_id": 100,
        "environment_description": "Windows 7 32 bit",
        "size": 232960,
        "type": "PE32+ executable (console) x86-64, for MS Windows",
        "type_short": [
          "peexe",
          "64bits",
          "executable"
        ],
        "target_url": null,
        "state": "SUCCESS",
        "error_type": null,
        "error_origin": null,
        "submit_name": "cmd.exe",
        "md5": "f4f684066175b77e0c3a000549d2922c",
        "sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
        "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
        "sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
        "ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
        "imphash": "3062ed732d4b25d1c64f084dac97d37a",
        "entrypoint": "0x140015190",
        "entrypoint_section": ".text",
        "image_base": null,
        "subsystem": null,
        "image_file_characteristics": [],
        "dll_characteristics": [],
        "major_os_version": null,
        "minor_os_version": null,
        "av_detect": 0,
        "vx_family": null,
        "url_analysis": false,
        "analysis_start_time": "2020-02-24T01:30:48+00:00",
        "threat_score": 30,
        "interesting": false,
        "threat_level": 3,
        "verdict": "no verdict",
        "certificates": [],
        "is_certificates_valid": null,
        "certificates_validation_message": null,
        "domains": [],
        "compromised_hosts": [],
        "hosts": [],
        "total_network_connections": 0,
        "total_processes": 1,
        "total_signatures": 14,
        "extracted_files": [],
        "file_metadata": null,
        "processes": [],
        "mitre_attcks": [
          {
            "tactic": "Discovery",
            "technique": "System Time Discovery",
            "attck_id": "T1124",
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "File and Directory Discovery",
            "attck_id": "T1083",
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          }
        ],
        "network_mode": "default",
        "signatures": [
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-7",
            "type": 2,
            "relevance": 1,
            "name": "Contains PDB pathways",
            "description": "\"cmd.pdb\"",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Reverse Engineering",
            "identifier": "stream-4",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to register a top-level exception handler (often used as anti-debugging trick)",
            "description": "SetUnhandledExceptionFilter@api-ms-win-core-errorhandling-l1-1-1.dll at 43727-268-00000001400151E4",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-49",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query the system locale",
            "description": "GetUserDefaultLCID@api-ms-win-core-localization-l1-2-1.dll at 43727-287-00000001400069BC",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-2",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query machine time",
            "description": "GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-284-0000000140002BA0\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-285-000000014001F53C\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-296-00000001400020C8\n GetLocalTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-993-000000014001F6C3\n GetSystemTimeAsFileTime@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-599-00000001400156B4",
            "origin": "Hybrid Analysis Technology",
            "attck_id": "T1124",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-3",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query the machine version",
            "description": "GetVersion@api-ms-win-core-sysinfo-l1-2-1.dll at 43727-439-0000000140001008",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-37",
            "type": 1,
            "relevance": 3,
            "name": "Contains ability to query volume size",
            "description": "GetDiskFreeSpaceExW@api-ms-win-core-file-l1-2-1.dll at 43727-485-000000014002542C",
            "origin": "Hybrid Analysis Technology",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-31",
            "type": 1,
            "relevance": 1,
            "name": "Possibly tries to detect the presence of a debugger",
            "description": "GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-314-000000014000BC30\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-316-0000000140008FA0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-270-000000014000B4A0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-271-000000014000B530\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-277-0000000140011840\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-297-000000014000E278\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-298-000000014000E2EC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-305-0000000140005C6C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-661-00000001400016F0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-331-0000000140014D2C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-355-0000000140005954\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-366-00000001400032FC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-383-000000014000D360\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-441-000000014000D110\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-511-000000014000B170\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-523-000000014000BCE0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-588-0000000140006418\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-596-000000014001168C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-605-0000000140014190\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 43727-607-0000000140014044",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Network Related",
            "identifier": "string-3",
            "type": 2,
            "relevance": 10,
            "name": "Found potential URL in binary/memory",
            "description": "Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "External Systems",
            "identifier": "avtest-1",
            "type": 12,
            "relevance": 10,
            "name": "Sample was identified as clean by Antivirus engines",
            "description": "0/68 Antivirus vendors marked sample as malicious (0% detection rate)\n 0/22 Antivirus vendors marked sample as malicious (0% detection rate)",
            "origin": "External System",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "static-60",
            "type": 0,
            "relevance": 10,
            "name": "PE file contains unusual section name",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has a section named \".didat\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "static-1",
            "type": 0,
            "relevance": 1,
            "name": "Imports suspicious APIs",
            "description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "stream-42",
            "type": 1,
            "relevance": 3,
            "name": "Possibly tries to hide a process launching it with different user credentials",
            "description": "CreateProcessAsUserW@api-ms-win-core-processthreads-l1-1-2.dll at 43727-828-000000014000EFFE",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 2,
            "threat_level_human": "malicious",
            "category": "General",
            "identifier": "stream-21",
            "type": 1,
            "relevance": 8,
            "name": "Contains ability to start/interact with device drivers",
            "description": "DeviceIoControl@api-ms-win-core-io-l1-1-1.dll at 43727-611-0000000140013690",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 2,
            "threat_level_human": "malicious",
            "category": "Unusual Characteristics",
            "identifier": "stream-22",
            "type": 1,
            "relevance": 5,
            "name": "Contains native function calls",
            "description": "NtFsControlFile@ntdll.dll at 43727-309-00000001400268C4\n NtCancelSynchronousIoFile@ntdll.dll at 43727-532-00000001400227A0\n NtOpenThreadToken@ntdll.dll at 43727-585-00000001400029C0\n NtQueryInformationToken@ntdll.dll at 43727-586-0000000140002A84\n NtQueryInformationToken@ntdll.dll at 43727-587-0000000140002AD4\n NtQueryInformationProcess@ntdll.dll at 43727-630-0000000140004480\n NtOpenFile@ntdll.dll at 43727-643-00000001400042DC\n NtQueryVolumeInformationFile@ntdll.dll at 43727-644-00000001400043D8",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          }
        ]
      },
      {
        "classification_tags": [],
        "tags": [],
        "submissions": [
          {
            "submission_id": "5f85aeb7dbdeb607bb5e34eb",
            "filename": "kiss.exe",
            "url": null,
            "created_at": "2020-10-13T13:42:15+00:00"
          },
          {
            "submission_id": "5d8b4dbf028838d6417f6d53",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-09-25T11:21:35+00:00"
          },
          {
            "submission_id": "5d8b4db702883891837f6b95",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-09-25T11:21:27+00:00"
          },
          {
            "submission_id": "5d4846eb0288385a279299b7",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-08-05T15:10:35+00:00"
          },
          {
            "submission_id": "5d250066038838da118437b2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-07-09T21:00:22+00:00"
          },
          {
            "submission_id": "5ce828c5038838ca61130390",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2019-05-24T17:24:21+00:00"
          },
          {
            "submission_id": "5cb263840388384184827cf6",
            "filename": "sethc.exe",
            "url": null,
            "created_at": "2019-04-13T22:32:36+00:00"
          },
          {
            "submission_id": "5b69b6167ca3e129e233b695",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-08-07T10:09:10-05:00"
          },
          {
            "submission_id": "5b576e3e7ca3e1632e094913",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-07-24T13:21:50-05:00"
          },
          {
            "submission_id": "5b576ce57ca3e15a46380635",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-07-24T13:16:05-05:00"
          },
          {
            "submission_id": "5ab0d1057ca3e12dbd5d09f2",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-03-20T04:14:45-05:00"
          },
          {
            "submission_id": "5a7c75817ca3e13c9b2ebf52",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2018-02-08T10:06:25-06:00"
          },
          {
            "submission_id": "5a34f2a27ca3e13531789a94",
            "filename": "cmd.exe",
            "url": null,
            "created_at": "2017-12-16T04:17:06-06:00"
          }
        ],
        "machine_learning_models": [],
        "crowdstrike_ai": {
          "executable_process_memory_analysis": [],
          "analysis_related_urls": []
        },
        "job_id": "5a34f2a27ca3e13531789a95",
        "environment_id": 120,
        "environment_description": "Windows 7 64 bit",
        "size": 232960,
        "type": "PE32+ executable (console) x86-64, for MS Windows",
        "type_short": [
          "peexe",
          "64bits",
          "executable"
        ],
        "target_url": null,
        "state": "SUCCESS",
        "error_type": null,
        "error_origin": null,
        "submit_name": "cmd.exe",
        "md5": "f4f684066175b77e0c3a000549d2922c",
        "sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
        "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
        "sha512": "fe8f0593cc335ad28eb90211bc4ff01a3d2992cffb3877d04cefede9ef94afeb1a7d7874dd0c0ae04eaf8308291d5a4d879e6ecf6fe2b8d0ff1c3ac7ef143206",
        "ssdeep": "3072:bkd4COZG6/A1tO1Y6TbkX2FtynroeJ/MEJoSsasbLLkhyjyGe:bkuC9+Af0Y6TbbFtkoeJk1KsfLXm",
        "imphash": "3062ed732d4b25d1c64f084dac97d37a",
        "entrypoint": "0x140015190",
        "entrypoint_section": ".text",
        "image_base": null,
        "subsystem": null,
        "image_file_characteristics": [],
        "dll_characteristics": [],
        "major_os_version": null,
        "minor_os_version": null,
        "av_detect": 0,
        "vx_family": null,
        "url_analysis": false,
        "analysis_start_time": "2019-09-25T11:21:32+00:00",
        "threat_score": 30,
        "interesting": false,
        "threat_level": 3,
        "verdict": "no verdict",
        "certificates": [],
        "is_certificates_valid": null,
        "certificates_validation_message": null,
        "domains": [],
        "compromised_hosts": [],
        "hosts": [],
        "total_network_connections": 0,
        "total_processes": 1,
        "total_signatures": 14,
        "extracted_files": [],
        "file_metadata": null,
        "processes": [],
        "mitre_attcks": [
          {
            "tactic": "Discovery",
            "technique": "File and Directory Discovery",
            "attck_id": "T1083",
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          },
          {
            "tactic": "Discovery",
            "technique": "System Time Discovery",
            "attck_id": "T1124",
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124",
            "malicious_identifiers_count": 0,
            "malicious_identifiers": [],
            "suspicious_identifiers_count": 0,
            "suspicious_identifiers": [],
            "informative_identifiers_count": 1,
            "informative_identifiers": [],
            "parent": null
          }
        ],
        "network_mode": "default",
        "signatures": [
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "General",
            "identifier": "string-7",
            "type": 2,
            "relevance": 1,
            "name": "Contains PDB pathways",
            "description": "\"cmd.pdb\"",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Anti-Reverse Engineering",
            "identifier": "stream-4",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to register a top-level exception handler (often used as anti-debugging trick)",
            "description": "SetUnhandledExceptionFilter@api-ms-win-core-errorhandling-l1-1-1.dll at 12264-268-00000001400151E4",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-31",
            "type": 1,
            "relevance": 1,
            "name": "Possibly tries to detect the presence of a debugger",
            "description": "GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-314-000000014000BC30\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-316-0000000140008FA0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-270-000000014000B4A0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-271-000000014000B530\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-277-0000000140011840\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-331-0000000140014D2C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-297-000000014000E278\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-298-000000014000E2EC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-305-0000000140005C6C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-383-000000014000D360\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-355-0000000140005954\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-366-00000001400032FC\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-441-000000014000D110\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-511-000000014000B170\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-523-000000014000BCE0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-588-0000000140006418\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-596-000000014001168C\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-605-0000000140014190\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-623-00000001400123F0\n GetProcessHeap@api-ms-win-core-heap-l1-2-0.dll at 12264-607-0000000140014044",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-37",
            "type": 1,
            "relevance": 3,
            "name": "Contains ability to query volume size",
            "description": "GetDiskFreeSpaceExW@api-ms-win-core-file-l1-2-1.dll at 12264-485-000000014002542C",
            "origin": "Hybrid Analysis Technology",
            "attck_id": "T1083",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1083"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-2",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query machine time",
            "description": "GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-284-0000000140002BA0\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-285-000000014001F53C\n GetSystemTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-296-00000001400020C8\n GetSystemTimeAsFileTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-599-00000001400156B4\n GetLocalTime@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-993-000000014001F6C3",
            "origin": "Hybrid Analysis Technology",
            "attck_id": "T1124",
            "capec_id": null,
            "attck_id_wiki": "https://attack.mitre.org/wiki/Technique/T1124"
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-3",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query the machine version",
            "description": "GetVersion@api-ms-win-core-sysinfo-l1-2-1.dll at 12264-439-0000000140001008",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Environment Awareness",
            "identifier": "stream-49",
            "type": 1,
            "relevance": 1,
            "name": "Contains ability to query the system locale",
            "description": "GetUserDefaultLCID@api-ms-win-core-localization-l1-2-1.dll at 12264-287-00000001400069BC",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "Network Related",
            "identifier": "string-3",
            "type": 2,
            "relevance": 10,
            "name": "Found potential URL in binary/memory",
            "description": "Pattern match: \"http://schemas.microsoft.com/SMI/2005/WindowsSettings\"",
            "origin": "File/Memory",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 0,
            "threat_level_human": "informative",
            "category": "External Systems",
            "identifier": "avtest-1",
            "type": 12,
            "relevance": 10,
            "name": "Sample was identified as clean by Antivirus engines",
            "description": "0/16 Antivirus vendors marked sample as malicious (0% detection rate)\n 0/70 Antivirus vendors marked sample as malicious (0% detection rate)",
            "origin": "External System",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "static-60",
            "type": 0,
            "relevance": 10,
            "name": "PE file contains unusual section name",
            "description": "\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2.bin\" has a section named \".didat\"",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Unusual Characteristics",
            "identifier": "static-1",
            "type": 0,
            "relevance": 1,
            "name": "Imports suspicious APIs",
            "description": "UnhandledExceptionFilter\n GetDriveTypeW\n GetFileAttributesW\n GetFileSize\n CreateDirectoryW\n DeleteFileW\n WriteFile\n FindNextFileW\n FindFirstFileW\n FindFirstFileExW\n GetFileAttributesExW\n CreateFileW\n DeviceIoControl\n CopyFileW\n GetProcAddress\n LoadLibraryExW\n GetModuleFileNameW\n GetModuleHandleW\n VirtualAlloc\n ReadProcessMemory\n GetCommandLineW\n TerminateProcess\n CreateProcessW\n GetStartupInfoW\n CreateProcessAsUserW\n RegCreateKeyExW\n RegDeleteValueW\n RegCloseKey\n RegEnumKeyExW\n RegOpenKeyExW\n RegDeleteKeyExW\n Sleep\n GetTickCount\n NtQueryInformationToken\n NtQueryInformationProcess",
            "origin": "Static Parser",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 1,
            "threat_level_human": "suspicious",
            "category": "Anti-Detection/Stealthyness",
            "identifier": "stream-42",
            "type": 1,
            "relevance": 3,
            "name": "Possibly tries to hide a process launching it with different user credentials",
            "description": "CreateProcessAsUserW@api-ms-win-core-processthreads-l1-1-2.dll at 12264-828-000000014000EFFE",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 2,
            "threat_level_human": "malicious",
            "category": "General",
            "identifier": "stream-21",
            "type": 1,
            "relevance": 8,
            "name": "Contains ability to start/interact with device drivers",
            "description": "DeviceIoControl@api-ms-win-core-io-l1-1-1.dll at 12264-611-0000000140013690",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          },
          {
            "threat_level": 2,
            "threat_level_human": "malicious",
            "category": "Unusual Characteristics",
            "identifier": "stream-22",
            "type": 1,
            "relevance": 5,
            "name": "Contains native function calls",
            "description": "NtFsControlFile@ntdll.dll at 12264-309-00000001400268C4\n NtCancelSynchronousIoFile@ntdll.dll at 12264-532-00000001400227A0\n NtOpenProcessToken@ntdll.dll at 12264-585-00000001400029C0\n NtQueryInformationToken@ntdll.dll at 12264-586-0000000140002A84\n NtQueryInformationToken@ntdll.dll at 12264-587-0000000140002AD4\n NtSetInformationProcess@ntdll.dll at 12264-630-0000000140004480\n NtOpenFile@ntdll.dll at 12264-643-00000001400042DC\n NtQueryVolumeInformationFile@ntdll.dll at 12264-644-00000001400043D8",
            "origin": "Hybrid Analysis Technology",
            "attck_id": null,
            "capec_id": null,
            "attck_id_wiki": null
          }
        ]
      }
    ]
    JSON


    Was this article helpful?